K20606443 : iControl REST CSRF vulnerability CVE-2020-5922

2020-08-2600:00:00

my.f5.com

7.8 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

31.7%

JSON

Security Advisory Description

iControl REST does not implement cross-site request forgery (CSRF) protections for users applying basic authentication in a web browser. (CVE-2020-5922)

Impact

In a successful exploit, an attacker can run JavaScript in the context of the currently logged-in user. For an administrative user with access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to compromise the BIG-IP system through remote code execution.

The attack conditions require a valid user to first authenticate to the iControl REST API using Basic Auth credentials in their browser, which is an uncommon use case and not recommended. Standard Configuration utility use of iControl REST and manually browsing REST through /mgmt/toc does not expose this issue, as these mechanisms use token-based authentication with custom HTTP headers.

CPENameOperatorVersion
f5 ssl orchestratoreq13.0.0
f5 ssl orchestratoreq13.1.0
f5 ssl orchestratoreq14.0.0
f5 ssl orchestratoreq14.1.0
f5 ssl orchestratoreq15.0.0
f5 ssl orchestratoreq15.1.0
f5 ssl orchestratoreq16.0.0
big-ip afmeq11.6.1
big-ip afmeq11.6.2
big-ip afmeq11.6.3

Name	Operator	Version
f5 ssl orchestrator	eq	13.0.0
f5 ssl orchestrator	eq	13.1.0
f5 ssl orchestrator	eq	14.0.0
f5 ssl orchestrator	eq	14.1.0
f5 ssl orchestrator	eq	15.0.0
f5 ssl orchestrator	eq	15.1.0
f5 ssl orchestrator	eq	16.0.0
big-ip afm	eq	11.6.1
big-ip afm	eq	11.6.2
big-ip afm	eq	11.6.3

Rows per page:

1-10 of 2091