Lucene search
HistoryAug 02, 2023 - 4:15 p.m.
CVE-2023-38138
cve-2023-38138
reflected xss
big-ip configuration utility
javascript
security vulnerability
nvd
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.9 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.9%
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Affected configurations
Node
f5big-ip_access_policy_managerRange13.1.0–13.1.5
ORf5big-ip_access_policy_managerRange14.1.0–14.1.5.5
ORf5big-ip_access_policy_managerRange15.1.0–15.1.9.1
ORf5big-ip_access_policy_managerRange16.1.0–16.1.3.5
ORf5big-ip_access_policy_managerRange17.0.0–17.1.0.2
ORf5big-ip_advanced_firewall_managerRange13.1.0–13.1.5
ORf5big-ip_advanced_firewall_managerRange14.1.0–14.1.5.5
ORf5big-ip_advanced_firewall_managerRange15.1.0–15.1.9.1
ORf5big-ip_advanced_firewall_managerRange16.1.0–16.1.3.5
ORf5big-ip_advanced_firewall_managerRange17.0.0–17.1.0.2
ORf5big-ip_advanced_web_application_firewallRange13.1.0–13.1.5
ORf5big-ip_advanced_web_application_firewallRange14.1.0–14.1.5.5
ORf5big-ip_advanced_web_application_firewallRange15.1.0–15.1.9.1
ORf5big-ip_advanced_web_application_firewallRange16.1.0–16.1.3.5
ORf5big-ip_advanced_web_application_firewallRange17.0.0–17.1.0.2
ORf5big-ip_analyticsRange13.1.0–13.1.5
ORf5big-ip_analyticsRange14.1.0–14.1.5.5
ORf5big-ip_analyticsRange15.1.0–15.1.9.1
ORf5big-ip_analyticsRange16.1.0–16.1.3.5
ORf5big-ip_analyticsRange17.0.0–17.1.0.2
ORf5big-ip_application_acceleration_managerRange13.1.0–13.1.5
ORf5big-ip_application_acceleration_managerRange14.1.0–14.1.5.5
ORf5big-ip_application_acceleration_managerRange15.1.0–15.1.9.1
ORf5big-ip_application_acceleration_managerRange16.1.0–16.1.3.5
ORf5big-ip_application_acceleration_managerRange17.0.0–17.1.0.2
ORf5big-ip_application_security_managerRange13.1.0–13.1.5
ORf5big-ip_application_security_managerRange14.1.0–14.1.5.5
ORf5big-ip_application_security_managerRange15.1.0–15.1.9.1
ORf5big-ip_application_security_managerRange16.1.0–16.1.3.5
ORf5big-ip_application_security_managerRange17.0.0–17.1.0.2
ORf5big-ip_application_visibility_and_reportingRange13.1.0–13.1.5
ORf5big-ip_application_visibility_and_reportingRange14.1.0–14.1.5.5
ORf5big-ip_application_visibility_and_reportingRange15.1.0–15.1.9.1
ORf5big-ip_application_visibility_and_reportingRange16.1.0–16.1.3.5
ORf5big-ip_application_visibility_and_reportingRange17.0.0–17.1.0.2
ORf5big-ip_carrier-grade_natRange13.1.0–13.1.5
ORf5big-ip_carrier-grade_natRange14.1.0–14.1.5.5
ORf5big-ip_carrier-grade_natRange15.1.0–15.1.9.1
ORf5big-ip_carrier-grade_natRange16.1.0–16.1.3.5
ORf5big-ip_carrier-grade_natRange17.0.0–17.1.0.2
ORf5big-ip_ddos_hybrid_defenderRange13.1.0–13.1.5
ORf5big-ip_ddos_hybrid_defenderRange14.1.0–14.1.5.5
ORf5big-ip_ddos_hybrid_defenderRange15.1.0–15.1.9.1
ORf5big-ip_ddos_hybrid_defenderRange16.1.0–16.1.3.5
ORf5big-ip_ddos_hybrid_defenderRange17.0.0–17.1.0.2
ORf5big-ip_domain_name_systemRange13.1.0–13.1.5
ORf5big-ip_domain_name_systemRange14.1.0–14.1.5.5
ORf5big-ip_domain_name_systemRange15.1.0–15.1.9.1
ORf5big-ip_domain_name_systemRange16.1.0–16.1.3.5
ORf5big-ip_domain_name_systemRange17.0.0–17.1.0.2
ORf5big-ip_edge_gatewayRange13.1.0–13.1.5
ORf5big-ip_edge_gatewayRange14.1.0–14.1.5.5
ORf5big-ip_edge_gatewayRange15.1.0–15.1.9.1
ORf5big-ip_edge_gatewayRange16.1.0–16.1.3.5
ORf5big-ip_edge_gatewayRange17.0.0–17.1.0.2
ORf5big-ip_fraud_protection_serviceRange13.1.0–13.1.5
ORf5big-ip_fraud_protection_serviceRange14.1.0–14.1.5.5
ORf5big-ip_fraud_protection_serviceRange15.1.0–15.1.9.1
ORf5big-ip_fraud_protection_serviceRange16.1.0–16.1.3.5
ORf5big-ip_fraud_protection_serviceRange17.0.0–17.1.0.2
ORf5big-ip_global_traffic_managerRange13.1.0–13.1.5
ORf5big-ip_global_traffic_managerRange14.1.0–14.1.5.5
ORf5big-ip_global_traffic_managerRange15.1.0–15.1.9.1
ORf5big-ip_global_traffic_managerRange16.1.0–16.1.3.5
ORf5big-ip_global_traffic_managerRange17.0.0–17.1.0.2
ORf5big-ip_link_controllerRange13.1.0–13.1.5
ORf5big-ip_link_controllerRange14.1.0–14.1.5.5
ORf5big-ip_link_controllerRange15.1.0–15.1.9.1
ORf5big-ip_link_controllerRange16.1.0–16.1.3.5
ORf5big-ip_link_controllerRange17.0.0–17.1.0
ORf5big-ip_local_traffic_managerRange13.1.0–13.1.5
ORf5big-ip_local_traffic_managerRange14.1.0–14.1.5.5
ORf5big-ip_local_traffic_managerRange15.1.0–15.1.9.1
ORf5big-ip_local_traffic_managerRange16.1.0–16.1.3.5
ORf5big-ip_local_traffic_managerRange17.0.0–17.1.0.2
ORf5big-ip_policy_enforcement_managerRange13.1.0–13.1.5
ORf5big-ip_policy_enforcement_managerRange14.1.0–14.1.5.5
ORf5big-ip_policy_enforcement_managerRange15.1.0–15.1.9.1
ORf5big-ip_policy_enforcement_managerRange16.1.0–16.1.3.5
ORf5big-ip_policy_enforcement_managerRange17.0.0–17.1.0.2
ORf5big-ip_ssl_orchestratorRange13.1.0–13.1.5
ORf5big-ip_ssl_orchestratorRange14.1.0–14.1.5.5
ORf5big-ip_ssl_orchestratorRange15.1.0–15.1.9.1
ORf5big-ip_ssl_orchestratorRange16.1.0–16.1.3.5
ORf5big-ip_ssl_orchestratorRange17.0.0–17.1.0.2
ORf5big-ip_webacceleratorRange13.1.0–13.1.5
ORf5big-ip_webacceleratorRange14.1.0–14.1.5.5
ORf5big-ip_webacceleratorRange15.1.0–15.1.9.1
ORf5big-ip_webacceleratorRange16.1.0–16.1.3.5
ORf5big-ip_webacceleratorRange17.0.0–17.1.0.2
ORf5big-ip_websafeRange13.1.0–13.1.5
ORf5big-ip_websafeRange14.1.0–14.1.5.5
ORf5big-ip_websafeRange15.1.0–15.1.9.1
ORf5big-ip_websafeRange16.1.0–16.1.3.5
ORf5big-ip_websafeRange17.0.0–17.1.0.2
CNA Affected
[
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "17.1.0.2",
"status": "affected",
"version": "17.1.0",
"versionType": "semver"
},
{
"lessThan": "16.1.3.5",
"status": "affected",
"version": "16.1.0",
"versionType": "semver"
},
{
"lessThan": "15.1.9.1",
"status": "affected",
"version": "15.1.0",
"versionType": "semver"
},
{
"lessThan": "14.1.5.5",
"status": "affected",
"version": "14.1.0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "13.1.0",
"versionType": "semver"
}
]
}
]References
Related
prion
prion
Cross site scripting
2023-08-02 16:15:00
cvelist
cvelist
CVE-2023-38138 BIG-IP Configuration utility vulnerability
2023-08-02 15:55:06
f5
f5
K000133474 : BIG-IP Configuration utility vulnerability CVE-2023-38138
2023-08-02 00:00:00
K000135479 : Overview of F5 vulnerabilities (August 2023)
2023-08-02 00:00:00
nessus
nessus
F5 Networks BIG-IP : BIG-IP Configuration utility vulnerability (K000133474)
2023-08-02 00:00:00
nvd
nvd
CVE-2023-38138
2023-08-02 16:15:10
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.9 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.9%
Related for CVE-2023-38138