CVE-2019-6644F5 Big-ip Access Policy Manager vulnerability

4 documents4 sources
Severity
9.4CRITICALNVD
CNA8.1
EPSS
0.8%
top 26.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Analytics+10 more
Timeline
PublishedSep 4
Latest updateMay 24

Description

Similar to the issue identified in CVE-2018-12120, on versions 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, and 12.1.0-12.1.4 BIG-IP will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 3.9 | Impact: 5.5

Affected Packages14 packages

NVDf5/big-ip_analytics12.1.312.1.4+3
NVDf5/big-ip_edge_gateway12.1.312.1.4+3
NVDf5/big-ip_webaccelerator12.1.312.1.4+3
NVDf5/big-ip_link_controller12.1.312.1.4+3
NVDf5/big-ip_domain_name_system12.1.312.1.4+3

🔴Vulnerability Details

2
GHSA
GHSA-jr9w-mmvc-9gp2: Similar to the issue identified in CVE-2018-12120, on versions 142022-05-24
CVEList
CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 142019-09-04

📋Vendor Advisories

1
F5
CVE-2019-6644: Similar to the issue identified in CVE-2018-12120, on versions 142019-09-04
CVE-2019-6644 — F5 vulnerability | cvebase