{"id":"CVE-2022-26499","details":"An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.","modified":"2026-04-10T04:46:15.166002Z","published":"2022-04-15T05:15:06.640Z","references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5285"},{"type":"ADVISORY","url":"https://downloads.asterisk.org/pub/security/"},{"type":"REPORT","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"type":"FIX","url":"http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html"},{"type":"FIX","url":"https://downloads.asterisk.org/pub/security/AST-2022-002.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"b240b843312850b724c5a37340d61101a613d8d1"},{"last_affected":"6d73e6ba9d825e7f72bde37cd984ad45068b89d3"},{"introduced":"2c1bba3cbec008c8ce35c78a2c79f9f207ea58bc"},{"fixed":"3e57d107467db7b5e4b64db75edf09641881c9fd"},{"introduced":"de4f63b4824c91a0cd9f3d95f3b7923bec71960c"},{"last_affected":"8ed1eeeaa6f42cde7759dfcd27c4c6dceb67095b"},{"introduced":"0"},{"last_affected":"847f753c4eda5891c4fe77dd7d0341381cb84975"},{"introduced":"0"},{"last_affected":"affbc6907eb544bc6e049085de91002ca24ff930"}],"database_specific":{"versions":[{"introduced":"16.15.0"},{"last_affected":"16.25.1"},{"introduced":"18.0"},{"fixed":"18.11.2"},{"introduced":"19.0.0"},{"last_affected":"19.3.1"},{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"0"},{"last_affected":"11.0"}]}}],"versions":["10.0.0","10.0.0-rc1","10.0.0-rc2","10.0.0-rc3","11.0.0","11.0.0-rc1","11.0.0-rc2","16.25.0","16.25.0-rc1","16.25.1","18.11.0","18.11.0-rc1","18.11.1","19.3.0","19.3.0-rc1","19.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26499.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}