6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
6.8%
The βnodeβ iRules command may allow an attacker to bypass the access control restrictions for a self IP address, regardless of the port lockdown settings.(CVE-2022-33962)
Impact
This vulnerability may allow an authenticated attacker with the iRule Manager role to create an iRule which allows the attacker to elevate their privileges to a higher level; this assumes that the attacker has access to the BIG-IP control plane as well as valid credentials.
Note: iRules in which the βnodeβ command operates on untrusted data-plane input should always be considered potentially unsafe and may have an elevated risk which should be determined by the author of the iRule. Such iRules are not advised unless steps are taken to validate the user input against an allow-list of valid destinations to ensure that the rule cannot be manipulated to send traffic to arbitrary, unintended destinations. Additionally, unvalidated input to the βnodeβ command may allow traffic to be directed to internal BIG-IP IP addresses or services.
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:M/C:P/I:P/A:P
0.0004 Low
EPSS
Percentile
6.8%