| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 30 Jul 2025 20:25:50 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"16229a2172717a4efd34db88f27ddd46"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=XoOknhy5JaxouqeaeVK1N%2Fpwcg7IvH3IsDDZvyNdPMVsQqdLTUKZh%2Bkpspb29yMDn22R0imGX8kjYm7JaJGIA8wmYwMw7PfxKTBXW%2FPuh1VEKLS6OIxAGrHhxkBSDL6RcvoeG%2FF%2F7Ixy4xg7rvRtnVakkJLpHsEzjyp0E3ttMuB2rGe34L6rS79EcRioCK74Mi0dXynpmD9xXKd54C8oH%2BMnugvoZREYpw4dkrb6wIASRvKAiY1fnScethzoowoukMyFiWqEDdme81B680bymQ%3D%3D--1LBXs98qKnvH%2F7Az--GJH7Vg668a5u5C7cxAaRSA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.444507102.1753907149; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 20:25:49 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 20:25:49 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: AB3E:36DC87:2954:3981:688A7FCD
cli_permissions.conf: deny option does not work for disallowing shell commands · Advisory · asterisk/asterisk · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
cli_permissions.conf: deny option does not work for disallowing shell commands
Moderate
Package
asterisk
(Asterisk)
Affected versions
<= 18.26.1
<= 20.14.0
<= 21.9.0
<= 22.4.0
<= 18.9-cert13
<= 20.7-cert4
Patched versions
18.26.2
20.14.1
21.9.1
22.4.1
18.9-cert14
20.7-cert5
Description
Severity
Moderate
/ 10
CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
Low
Integrity
Low
Availability
Low
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CVE ID
CVE-2025-47780
Weaknesses
Weakness CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.Credits
-
maximilianfridrich Reporter
You can’t perform that action at this time.
Summary
Trying to disallow shell commands to be run via the Asterisk CLI by configuring
cli_permissions.conf(e.g. with the config linedeny=!*) does not work which could lead to a security risk.Details
With the file
cli_permissions.confyou can deny certain commands (also with regexes) on the Asterisk CLI. However, when trying to disallow shell commands (e.g. with the config linedeny=!*), the user can still execute shell commands via the Asterisk CLI.The issue is that in
main/asterisk.c:remoteconsolehandler()(and inconsolehandler()),ast_safe_systemis executed immediately and the call tocli.c:cli_has_permissions()is completely skipped.PoC
Example
cli_permissions.conf:With this config, when connecting to the Asterisk CLI remotely (
asterisk -r), then!whoamifor example is incorrectly permitted, whilepjsip show endpointsis correctly denied.Impact
If an administrator running an Asterisk instance relies on the
cli_permissions.conffile to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability.