{"id":"CVE-2022-26651","details":"An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.","modified":"2026-02-03T07:32:48.956475Z","published":"2022-04-15T05:15:06.683Z","references":[{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html"},{"type":"ADVISORY","url":"https://downloads.asterisk.org/pub/security/"},{"type":"ADVISORY","url":"https://downloads.asterisk.org/pub/security/AST-2022-003.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5285"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"2c1bba3cbec008c8ce35c78a2c79f9f207ea58bc"},{"fixed":"3e57d107467db7b5e4b64db75edf09641881c9fd"},{"introduced":"a65908f83e2f17a3aca7eb39c8e06045aca02674"},{"fixed":"8898781851e446bd6eebb74592d8005e0511f1e1"},{"introduced":"de4f63b4824c91a0cd9f3d95f3b7923bec71960c"},{"fixed":"91be429a41b9a9090e7e2b7b1efc9bea61571292"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-26651.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}