Lucene search

K
f5F5F5:K12492858
HistoryMay 06, 2022 - 12:00 a.m.

K12492858 : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103

2022-05-0600:00:00
my.f5.com
49

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

76.3%

Security Advisory Description

When running in Appliance mode, the BIG-IP Guided Configuration GUI menu is vulnerable through the following third-party CVEs:

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Impact

In Appliance mode, this vulnerability may allow an authenticated attacker with administrator role privileges and network access to the affected Guided Configuration GUI menu through the BIG-IP management port or self IP addresses, to execute arbitrary system commands and create or delete files. The vulnerability allows the bypass of Appliance mode security on BIG-IP systems by allowing the execution of arbitrary Advanced Shell (bash) commands. There is no data plane exposure; this is a control plane issue only.

Note: For ASM Guided Configuration, an additional Advanced WAF license is required for it to be available in the Configuration utility Security menu.

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

76.3%