PT-2020-16789 · F5 · F5 Big-Ip
Published
2020-12-24
·
Updated
2020-12-28
·
CVE-2020-27727
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
F5 BIG-IP versions 13.1.0 through 13.1.3.4
F5 BIG-IP versions 14.1.0 through 14.1.3
F5 BIG-IP versions 15.1.0 through 15.1.0.5
F5 BIG-IP versions 16.0.0 through 16.0.0.1
Description
The issue arises when an authenticated administrative user installs RPMs using the iAppsLX REST installer. The system does not sufficiently validate user input, allowing the user read access to the filesystem.
Recommendations
For F5 BIG-IP versions 13.1.0 through 13.1.3.4, restrict access to the iAppsLX REST installer until a patch is available.
For F5 BIG-IP versions 14.1.0 through 14.1.3, consider disabling the iAppsLX REST installer functionality to minimize the risk of exploitation.
For F5 BIG-IP versions 15.1.0 through 15.1.0.5, avoid using the iAppsLX REST installer for RPM installations until the issue is resolved.
For F5 BIG-IP versions 16.0.0 through 16.0.0.1, limit the privileges of authenticated administrative users to prevent potential misuse of the iAppsLX REST installer.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
F5 Big-Ip