{"id":"DEBIAN-CVE-2017-14100","details":"In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an \"externnotify\" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.","modified":"2026-04-28T20:16:43.971539Z","published":"2017-09-02T16:29:00.333Z","upstream":["CVE-2017-14100"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2017-14100"}],"affected":[{"package":{"name":"asterisk","ecosystem":"Debian:11","purl":"pkg:deb/debian/asterisk?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:13.17.1~dfsg-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-14100.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}