CVE-2020-5906Incorrect Default Permissions in F5 Big-ip Access Policy Manager

CWE-276Incorrect Default Permissions4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.1%
top 67.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Analytics+8 more
Timeline
PublishedJul 1
Latest updateMay 24

Description

In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages12 packages

NVDf5/big-ip_access_policy_manager11.6.111.6.5+2
CVEListV5f5/big-ip_access_policy_manager13.1.0-13.1.3.3, 12.1.0-12.1.5.2, 11.6.1-11.6.5.2
NVDf5/big-ip_domain_name_system11.6.111.6.5+2
NVDf5/big-ip_policy_enforcement_manager11.6.111.6.5+2
NVDf5/big-ip_analytics11.6.111.6.5+2

🔴Vulnerability Details

2
GHSA
GHSA-h3w9-w8vh-9fqg: In versions 132022-05-24
CVEList
CVE-2020-5906: In versions 132020-07-01

📋Vendor Advisories

1
F5
CVE-2020-5906: In versions 132020-07-01
CVE-2020-5906 — Incorrect Default Permissions in F5 | cvebase