6 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.8 High
EPSS
Percentile
98.0%
Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.
F5 products and versions that have been evaluated for this Security Advisory
Product | Affected | Not Affected |
---|---|---|
BIG-IP LTM | 9.0.0 - 9.2.5 | 9.3.x |
9.4.x | ||
10.x | ||
11.x | ||
BIG-IP GTM | 9.2.2 - 9.2.5 | 9.3.x |
9.4.x | ||
10.x | ||
11.x | ||
BIG-IP ASM | 9.2.0 - 9.2.5 | 9.3.x |
9.4.x | ||
10.x | ||
11.x | ||
BIG-IP Link Controller | 9.2.2 - 9.2.5 | |
9.3.x | ||
9.4.x | ||
10.x | ||
11.x | ||
BIG-IP WebAccelerator | None | 9.x |
10.x | ||
11.x | ||
BIG-IP PSM | None | 9.x |
10.x | ||
11.x | ||
BIG-IP WAN Optimization | None | 10.x |
11.x | ||
BIG-IP APM | None | 10.x |
11.x | ||
BIG-IP Edge Gateway | None | 10.x |
11.x | ||
BIG-IP Analytics | ||
None | 11.x | |
BIG-IP AFM | None | 11.x |
BIG-IP PEM | ||
None | 11.x | |
FirePass | None | 5.x |
6.x | ||
7.x | ||
Enterprise Manager | None | 1.x |
2.x | ||
3.x |
F5 Product Development has determined the likelihood of exploitation is low for the cross-site scripting (XSS) vulnerability disclosed in CVE-2007-5000. Exploiting this vulnerability would require an administrator of an F5 device to interact with a web page crafted by an attacker. Possible attacks could include recovering that administrator or operator’s password to the BIG-IP.
Note: The BIG-IP system ships with themod_imapmodule, however the BIG-IP Configuration utility does not use or rely onmod_imap.
Information about this advisory is available at the following location:
<https://vulners.com/cve/CVE-2007-5000>
F5 Product Development tracked this issue as CR59618 and it was fixed in BIG-IP 9.3.0 and 9.4.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller, and WebAccelerator release notes.
Workaround
If you are using a vulnerable version and upgrading is not an immediate option, you can disable mod_imap by performing the following procedure:
cd /config/httpd/conf
3. Open the httpd.conffile with a file editor and comment out the mod_imap entry by inserting**#** at the beginning of the following line:
#LoadModule imap_module modules/mod_imap.so
4. Save the httpd.conf file.
5. Restart the httpd daemon by typing the following command:
bigstart restart httpd