CVE-2014-8727

Name of the Vulnerable Software and Affected Versions F5 BIG-IP versions prior to 10.2.2

Description The issue allows local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files. This is achieved by exploiting directory traversal vulnerabilities using a .. (dot dot) in the name parameter to specific API endpoints, such as "tmui/Control/jspmap/tmui/system/archive/properties.jsp" or "tmui/Control/form".

Recommendations For versions prior to 10.2.2, update to version 10.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the name parameter in the affected API endpoints until a patch is available. Restrict access to the vulnerable API endpoints "tmui/Control/jspmap/tmui/system/archive/properties.jsp" and "tmui/Control/form" to minimize the risk of exploitation.