Vulnerability CVE-2022-26835


Published: 2022-05-05

Description:
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell (tmsh) commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
F5 -> Big-ip local traffic manager 
F5 -> Big-ip advanced firewall manager 
F5 -> Big-ip access policy manager 
F5 -> Big-ip global traffic manager 
F5 -> Big-ip domain name system 
F5 -> Big-ip policy enforcement manager 
F5 -> Big-ip application security manager 
F5 -> Big-ip analytics 
F5 -> Big-ip application acceleration manager 
F5 -> Big-ip link controller 
F5 -> Big-ip fraud protection service 

 References:
https://support.f5.com/csp/article/K53197140

Copyright 2022, cxsecurity.com

 

Back to Top