Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0149

NIXPKGS-2026-0149

GitHub issue published on

Permalink CVE-2026-23738

3.5 LOW

CVSS version (CVSS): 3.1
Attack Vector (AV): Adjacent (A)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Unchanged (U)
Confidentiality (C): Low (L)
Integrity (I): None (N)
Availability (A): None (N)
Modified Attack Vector (MAV): Adjacent (A)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): Low (L)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): None (N)

updated 3 months, 3 weeks ago by @LeSuisse Activity log

Created suggestion 3 months, 3 weeks ago
@LeSuisse ignored
5 packages
- asterisk-ldap
- asterisk-module-sccp
- python312Packages.asterisk-mbox
- python313Packages.asterisk-mbox
- python314Packages.asterisk-mbox
3 months, 3 weeks ago
@LeSuisse accepted 3 months, 3 weeks ago
@LeSuisse published on GitHub 3 months, 3 weeks ago

The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

References

https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh x_refsource_CONFIRM

Affected products

asterisk

==< 21.12.1
==< 22.8.2
==< 23.2.2
==< 20.18.2
==< 20.7-cert9

Matching in nixpkgs

pkgs.asterisk_18

Software implementation of a telephone private branch exchange (PBX)

pkgs.asterisk_20

Software implementation of a telephone private branch exchange (PBX)

nixos-unstable 20.18.0
- nixpkgs-unstable 20.18.0
- nixos-unstable-small 20.18.0
nixos-25.11 20.18.0
- nixos-25.11-small 20.18.0
- nixpkgs-25.11-darwin 20.18.0

pkgs.asterisk_22

Software implementation of a telephone private branch exchange (PBX)

nixos-unstable 22.8.0
- nixpkgs-unstable 22.8.0
- nixos-unstable-small 22.8.0
nixos-25.11 22.8.0
- nixos-25.11-small 22.8.0
- nixpkgs-25.11-darwin 22.8.0

pkgs.asterisk_23

Software implementation of a telephone private branch exchange (PBX)

nixos-unstable 23.2.0
- nixpkgs-unstable 23.2.0
- nixos-unstable-small 23.2.0
nixos-25.11 23.2.0
- nixos-25.11-small 23.2.0
- nixpkgs-25.11-darwin 23.2.0

Ignored packages (5)

pkgs.asterisk-ldap

Software implementation of a telephone private branch exchange (PBX)

nixos-unstable 22.8.0
- nixpkgs-unstable 22.8.0
- nixos-unstable-small 22.8.0
nixos-25.11 22.8.0
- nixos-25.11-small 22.8.0
- nixpkgs-25.11-darwin 22.8.0

pkgs.asterisk-module-sccp

Replacement for the SCCP channel driver in Asterisk

pkgs.python312Packages.asterisk-mbox

Client side of a client/server to interact with Asterisk voicemail mailboxes

nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.python313Packages.asterisk-mbox

Client side of a client/server to interact with Asterisk voicemail mailboxes

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.python314Packages.asterisk-mbox

Client side of a client/server to interact with Asterisk voicemail mailboxes

nixos-unstable 0.5.0
- nixpkgs-unstable 0.5.0
- nixos-unstable-small 0.5.0

Package maintainers

@yorickvP Yorick van Pelt <yorickvanpelt@gmail.com>
@auntieNeo Jonathan Glines <auntieNeo@gmail.com>
@DerTim1 Tim Digel <tim.digel@active-group.de>

Upstream advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh