PT-2022-15798 · F5 · Big-Ip Asm+3
Published
2022-01-25
·
Updated
2022-02-01
·
CVE-2022-23031
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1
BIG-IP FPS, ASM, and Advanced WAF versions 15.1.x before 15.1.4
BIG-IP FPS, ASM, and Advanced WAF versions 14.1.x before 14.1.4.4
Description
An XML External Entity (XXE) issue exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility. This allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests.
Recommendations
For versions 16.1.x before 16.1.1, update to version 16.1.1 or later.
For versions 15.1.x before 15.1.4, update to version 15.1.4 or later.
For versions 14.1.x before 14.1.4.4, update to version 14.1.4.4 or later.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Advanced Waf
Big-Ip
Big-Ip Asm
Big-Ip Fps