{"id":"CVE-2022-26499","details":"An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.","modified":"2025-11-14T03:34:55.163755Z","published":"2022-04-15T05:15:06.640Z","references":[{"type":"FIX","url":"http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html"},{"type":"ADVISORY","url":"https://downloads.asterisk.org/pub/security/"},{"type":"FIX","url":"https://downloads.asterisk.org/pub/security/AST-2022-002.html"},{"type":"REPORT","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5285"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"2c1bba3cbec008c8ce35c78a2c79f9f207ea58bc"},{"fixed":"3e57d107467db7b5e4b64db75edf09641881c9fd"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-26499.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}