CVE-2021-23002

4 documents4 sources
Severity
4.5MEDIUM
EPSS
0.1%
top 77.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
F5 Access Policy Manager ClientsF5 Big-ip Access Policy Manager
Timeline
PublishedMar 31
Latest updateMay 24

Description

When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5big-ip_apm_and_edge_clientBIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, all 12.1.x and 11.6.x versions, Edge Client 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, 7.1.8.x before 7.1.8.5+1
NVDf5/access_policy_manager_clients7.1.57.1.8.5+2
NVDf5/big-ip_access_policy_manager13.1.013.1.3.6+5

🔴Vulnerability Details

2
GHSA
GHSA-4vpw-2c2c-m7m5: When using BIG-IP APM 162022-05-24
CVEList
CVE-2021-23002: When using BIG-IP APM 162021-03-31

📋Vendor Advisories

1
F5
CVE-2021-23002: When using BIG-IP APM 162021-03-31
CVE-2021-23002 (MEDIUM CVSS 4.5) | When using BIG-IP APM 16.0.x before | cvebase.io