CVE-2019-6679Link Following in F5 Big-ip Access Policy Manager

CWE-59Link Following4 documents4 sources
Severity
3.3LOWNVD
EPSS
0.1%
top 73.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Analytics+11 more
Timeline
PublishedDec 23
Latest updateMay 24

Description

On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, 13.1.1.5-13.1.3.1, 12.1.4.1-12.1.5, 11.6.4-11.6.5, and 11.5.9-11.5.10, the access controls implemented by scp.whitelist and scp.blacklist are not properly enforced for paths that are symlinks. This allows authenticated users with SCP access to overwrite certain configuration files that would otherwise be restricted.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages14 packages

NVDf5/big-ip_access_policy_manager11.6.411.6.5.1+6
NVDf5/big-ip_analytics11.6.411.6.5.1+6
NVDf5/big-ip_edge_gateway11.6.411.6.5.1+6
NVDf5/big-ip_webaccelerator11.6.411.6.5.1+6
NVDf5/big-ip_link_controller11.6.411.6.5.1+6

🔴Vulnerability Details

2
GHSA
GHSA-hwm9-m7gj-7jf7: On BIG-IP versions 152022-05-24
CVEList
CVE-2019-6679: On BIG-IP versions 152019-12-23

📋Vendor Advisories

1
F5
CVE-2019-6679: On BIG-IP versions 152019-12-23
CVE-2019-6679 — Link Following in F5 | cvebase