CVE-2022-31473 BIG-IP APM Appliance mode vulnerability CVE-2022-31473

2022-08-0417:45:54

CWE-22

www.cve.org

big-ip

apm appliance mode

directory traversal

authenticated attacker

security boundary

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

25.8%

JSON

In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CNA Affected

[
  {
    "product": "BIG-IP APM",
    "vendor": "F5",
    "versions": [
      {
        "lessThan": "13.1.x*",
        "status": "unaffected",
        "version": "13.1.0",
        "versionType": "custom"
      },
      {
        "lessThan": "14.1.x*",
        "status": "unaffected",
        "version": "14.1.0",
        "versionType": "custom"
      },
      {
        "lessThan": "15.1.4",
        "status": "affected",
        "version": "15.1.x",
        "versionType": "custom"
      },
      {
        "lessThan": "16.1.1",
        "status": "affected",
        "version": "16.1.x",
        "versionType": "custom"
      },
      {
        "lessThan": "17.0.x*",
        "status": "unaffected",
        "version": "17.0.0",
        "versionType": "custom"
      }
    ]
  }
]