CVE-2024-21782

2024-02-1417:15:12

CWE-78

[email protected]

web.nvd.nist.gov

cve-2024-21782

big-ip

big-iq

resource administrators

certificate managers

secure copy

scp

arbitrary commands

vulnerability

incomplete fix

nvd

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.0%

JSON

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "All Modules"
    ],
    "product": "BIG-IP",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "17.1.1",
        "status": "affected",
        "version": "17.1.0",
        "versionType": "custom"
      },
      {
        "lessThan": "16.1.4",
        "status": "affected",
        "version": "16.1.0",
        "versionType": "custom"
      },
      {
        "lessThan": "15.1.9",
        "status": "affected",
        "version": "15.1.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unknown",
    "modules": [
      "Centralized Management"
    ],
    "product": "BIG-IQ",
    "vendor": "F5",
    "versions": [
      {
        "changes": [
          {
            "at": "Hotfix-BIG-IQ-8.3.0.0.16.118-ENG.iso",
            "status": "unaffected"
          }
        ],
        "lessThan": "*",
        "status": "affected",
        "version": "8.0.0",
        "versionType": "custom"
      }
    ]
  }
]