CVE-2012-2414 [Medium] | Authentication Bypass in Open Source

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	4.28%	2.72%	-1.56%
2	2025-03-30	5.41%	4.28%	-1.14%
3	2025-03-29	—	5.41%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

4.28%

2.72%

-1.56%

2025-03-30

5.41%

4.28%

-1.14%

2025-03-29

—

5.41%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.5	2.0	MEDIUM	`AV:N/AC:L/Au:S/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:S) A single authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.0	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.5

2.0

MEDIUM

AV:N/AC:L/Au:S/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:S): A single authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.0

6.4

[email protected]

OS Trackers for CVE-2012-2414

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2012-2414 not yet assigned priority: Debian including 1 source packages (asterisk), 2 status rows across 2 suites (bullseye, sid): resolved 2.	https://security-tracker.debian.org/tracker/CVE-2012-2414
`gentoo`	normal	CVE-2012-2414: 1 GLSA(s) (201206-05), 1 atom(s) (net-misc/asterisk); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2012-2414
`ubuntu`	low	CVE-2012-2414 low priority: Ubuntu including 1 source packages (asterisk), 16 status rows across 16 suites (hardy, lucid, natty, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): not-affected 10, ignored 4, DNE 1, released 1.	https://ubuntu.com/security/CVE-2012-2414

Affected software / configurations for CVE-2012-2414

Vendor	Product	Version	Raw CPE
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:::::::*
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc2::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc3::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc4::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc5::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc6::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc7::::::
asterisk	open_source	1.6.2.0	cpe:2.3:a:asterisk:open_source:1.6.2.0:rc8::::::
asterisk	open_source	1.6.2.1	cpe:2.3:a:asterisk:open_source:1.6.2.1:::::::*
asterisk	open_source	1.6.2.1	cpe:2.3:a:asterisk:open_source:1.6.2.1:rc1::::::
asterisk	open_source	1.6.2.2	cpe:2.3:a:asterisk:open_source:1.6.2.2:::::::*
asterisk	open_source	1.6.2.3	cpe:2.3:a:asterisk:open_source:1.6.2.3:rc2::::::
asterisk	open_source	1.6.2.4	cpe:2.3:a:asterisk:open_source:1.6.2.4:::::::*
asterisk	open_source	1.6.2.5	cpe:2.3:a:asterisk:open_source:1.6.2.5:::::::*
asterisk	open_source	1.6.2.6	cpe:2.3:a:asterisk:open_source:1.6.2.6:::::::*
asterisk	open_source	1.6.2.6	cpe:2.3:a:asterisk:open_source:1.6.2.6:rc1::::::
asterisk	open_source	1.6.2.6	cpe:2.3:a:asterisk:open_source:1.6.2.6:rc2::::::
asterisk	open_source	1.6.2.7	cpe:2.3:a:asterisk:open_source:1.6.2.7:::::::*
asterisk	open_source	1.6.2.7	cpe:2.3:a:asterisk:open_source:1.6.2.7:rc1::::::
asterisk	open_source	1.6.2.7	cpe:2.3:a:asterisk:open_source:1.6.2.7:rc2::::::
asterisk	open_source	1.6.2.7	cpe:2.3:a:asterisk:open_source:1.6.2.7:rc3::::::
asterisk	open_source	1.6.2.8	cpe:2.3:a:asterisk:open_source:1.6.2.8:::::::*
asterisk	open_source	1.6.2.8	cpe:2.3:a:asterisk:open_source:1.6.2.8:rc1::::::
asterisk	open_source	1.6.2.9	cpe:2.3:a:asterisk:open_source:1.6.2.9:::::::*
asterisk	open_source	1.6.2.9	cpe:2.3:a:asterisk:open_source:1.6.2.9:rc1::::::
asterisk	open_source	1.6.2.9	cpe:2.3:a:asterisk:open_source:1.6.2.9:rc2::::::
asterisk	open_source	1.6.2.9	cpe:2.3:a:asterisk:open_source:1.6.2.9:rc3::::::
asterisk	open_source	1.6.2.10	cpe:2.3:a:asterisk:open_source:1.6.2.10:::::::*
asterisk	open_source	1.6.2.10	cpe:2.3:a:asterisk:open_source:1.6.2.10:rc1::::::
asterisk	open_source	1.6.2.10	cpe:2.3:a:asterisk:open_source:1.6.2.10:rc2::::::
asterisk	open_source	1.6.2.11	cpe:2.3:a:asterisk:open_source:1.6.2.11:::::::*
asterisk	open_source	1.6.2.11	cpe:2.3:a:asterisk:open_source:1.6.2.11:rc1::::::
asterisk	open_source	1.6.2.11	cpe:2.3:a:asterisk:open_source:1.6.2.11:rc2::::::
asterisk	open_source	1.6.2.12	cpe:2.3:a:asterisk:open_source:1.6.2.12:::::::*
asterisk	open_source	1.6.2.12	cpe:2.3:a:asterisk:open_source:1.6.2.12:rc1::::::
asterisk	open_source	1.6.2.13	cpe:2.3:a:asterisk:open_source:1.6.2.13:::::::*
asterisk	open_source	1.6.2.14	cpe:2.3:a:asterisk:open_source:1.6.2.14:::::::*
asterisk	open_source	1.6.2.14	cpe:2.3:a:asterisk:open_source:1.6.2.14:rc1::::::
asterisk	open_source	1.6.2.15	cpe:2.3:a:asterisk:open_source:1.6.2.15:::::::*
asterisk	open_source	1.6.2.15	cpe:2.3:a:asterisk:open_source:1.6.2.15:rc1::::::
asterisk	open_source	1.6.2.15.1	cpe:2.3:a:asterisk:open_source:1.6.2.15.1:::::::*
asterisk	open_source	1.6.2.16	cpe:2.3:a:asterisk:open_source:1.6.2.16:::::::*
asterisk	open_source	1.6.2.16	cpe:2.3:a:asterisk:open_source:1.6.2.16:rc1::::::
asterisk	open_source	1.6.2.16.1	cpe:2.3:a:asterisk:open_source:1.6.2.16.1:::::::*
asterisk	open_source	1.6.2.16.2	cpe:2.3:a:asterisk:open_source:1.6.2.16.2:::::::*
asterisk	open_source	1.6.2.17	cpe:2.3:a:asterisk:open_source:1.6.2.17:::::::*
asterisk	open_source	1.6.2.17	cpe:2.3:a:asterisk:open_source:1.6.2.17:rc1::::::
asterisk	open_source	1.6.2.17	cpe:2.3:a:asterisk:open_source:1.6.2.17:rc2::::::
asterisk	open_source	1.6.2.17	cpe:2.3:a:asterisk:open_source:1.6.2.17:rc3::::::
asterisk	open_source	1.6.2.17.1	cpe:2.3:a:asterisk:open_source:1.6.2.17.1:::::::*
asterisk	open_source	1.6.2.17.2	cpe:2.3:a:asterisk:open_source:1.6.2.17.2:::::::*
asterisk	open_source	1.6.2.17.3	cpe:2.3:a:asterisk:open_source:1.6.2.17.3:::::::*
asterisk	open_source	1.6.2.18	cpe:2.3:a:asterisk:open_source:1.6.2.18:::::::*
asterisk	open_source	1.6.2.18	cpe:2.3:a:asterisk:open_source:1.6.2.18:rc1::::::
asterisk	open_source	1.6.2.18.1	cpe:2.3:a:asterisk:open_source:1.6.2.18.1:::::::*
asterisk	open_source	1.6.2.18.2	cpe:2.3:a:asterisk:open_source:1.6.2.18.2:::::::*
asterisk	open_source	1.6.2.19	cpe:2.3:a:asterisk:open_source:1.6.2.19:::::::*
asterisk	open_source	1.6.2.19	cpe:2.3:a:asterisk:open_source:1.6.2.19:rc1::::::
asterisk	open_source	1.6.2.20	cpe:2.3:a:asterisk:open_source:1.6.2.20:::::::*
asterisk	open_source	1.6.2.21	cpe:2.3:a:asterisk:open_source:1.6.2.21:::::::*
asterisk	open_source	1.6.2.22	cpe:2.3:a:asterisk:open_source:1.6.2.22:::::::*
asterisk	open_source	1.6.2.23	cpe:2.3:a:asterisk:open_source:1.6.2.23:::::::*
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:::::::*
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:beta1::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:beta2::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:beta3::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:beta4::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:beta5::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:rc2::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:rc3::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:rc4::::::
asterisk	open_source	1.8.0	cpe:2.3:a:asterisk:open_source:1.8.0:rc5::::::
asterisk	open_source	1.8.1	cpe:2.3:a:asterisk:open_source:1.8.1:::::::*
asterisk	open_source	1.8.1	cpe:2.3:a:asterisk:open_source:1.8.1:rc1::::::
asterisk	open_source	1.8.1.1	cpe:2.3:a:asterisk:open_source:1.8.1.1:::::::*
asterisk	open_source	1.8.1.2	cpe:2.3:a:asterisk:open_source:1.8.1.2:::::::*
asterisk	open_source	1.8.2	cpe:2.3:a:asterisk:open_source:1.8.2:::::::*
asterisk	open_source	1.8.2	cpe:2.3:a:asterisk:open_source:1.8.2:rc1::::::
asterisk	open_source	1.8.2.1	cpe:2.3:a:asterisk:open_source:1.8.2.1:::::::*
asterisk	open_source	1.8.2.2	cpe:2.3:a:asterisk:open_source:1.8.2.2:::::::*

References for CVE-2012-2414

URL	Tags
http://downloads.asterisk.org/pub/security/AST-2012-004.html	Patch Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
http://osvdb.org/81454
http://secunia.com/advisories/48891
http://secunia.com/advisories/48941
http://www.debian.org/security/2012/dsa-2460
http://www.securityfocus.com/bid/53206
http://www.securitytracker.com/id?1026961
https://exchange.xforce.ibmcloud.com/vulnerabilities/75100

URL

CVE-2012-2414

Exploit prediction scoring system (EPSS) score for CVE-2012-2414

Common vulnerability scoring system (CVSS) metrics for CVE-2012-2414

Weakness enumeration for CVE-2012-2414

OS Trackers for CVE-2012-2414

Affected software / configurations for CVE-2012-2414

References for CVE-2012-2414