When running in Appliance mode, the BIG-IP Guided Configuration GUI menu is vulnerable through the following third-party CVEs:
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
Impact
In Appliance mode, this vulnerability may allow an authenticated attacker with administrator role privileges and network access to the affected Guided Configuration GUI menu through the BIG-IP management port or self IP addresses, to execute arbitrary system commands and create or delete files. The vulnerability allows the bypass of Appliance mode security on BIG-IP systems by allowing the execution of arbitrary Advanced Shell (bash) commands. There is no data plane exposure; this is a control plane issue only.
Note: For ASM Guided Configuration, an additional Advanced WAF license is required for it to be available in the Configuration utility Security menu.