CVE-2017-0304 — SQL Injection in F5 Big-ip Advanced Firewall Manager

CWE-89 — SQL Injection4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 61.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Networks INC Big-ip AFM F5 Big-ip Advanced Firewall Manager F5 Big-ip AFM

Timeline

PublishedDec 21

Latest updateMay 14

Description

A SQL injection vulnerability exists in the BIG-IP AFM management UI on versions 12.0.0, 12.1.0, 12.1.1, 12.1.2 and 13.0.0 that may allow a copy of the firewall rules to be tampered with and impact the Configuration Utility until there is a resync of the rules. Traffic processing and the live firewall rules in use are not affected.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDf5/big-ip_advanced_firewall_manager5 versions+4

▶f5f5/big-ip_afm

▶CVEListV5f5_networks_inc/big-ip_afm12.0.0, 12.1.0, 12.1.1, 12.1.2, 13.0.0+1

🔴Vulnerability Details

GHSA

GHSA-56cq-cx36-9v3r: A SQL injection vulnerability exists in the BIG-IP AFM management UI on versions 12↗2022-05-14

▶

📋Vendor Advisories

CVE-2017-0304: A SQL injection vulnerability exists in the BIG-IP AFM management UI on versions 12↗2017-12-21

▶

💬Community

Bugzilla

CVE-2017-2808 ledger: CLI Account Directive Use-After-Free Vulnerability↗2017-09-06

▶