Undisclosed iControl REST worker vulnerable to command injection for an Administrator user. (CVE-2019-6620)
Impact
BIG-IP and BIG-IQ
This vulnerability may bypass Appliance mode security by allowing the execution of arbitrary bash commands. In non-Appliance mode deployments, the Administrator and Resource Administrator users already own this level of access. F5 considers this vulnerability a security concern primarily for systems deployed in Appliance mode. In addition, a valid attack vector exists for users who are not already granted Advanced Shell (bash) access, such as a Resource Administrator, who by default is not explicitly grantedbash access.
Enterprise Manager, F5 iWorkflow, and Traffix SDC
There is no impact; F5 products are not affected by this vulnerability.