CVE-2021-23015Incorrect Authorization in F5 Big-ip Access Policy Manager

CWE-863Incorrect Authorization4 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.1%
top 81.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Advanced WEB Application Firewall+11 more
Timeline
PublishedMay 10
Latest updateMay 24

Description

On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages15 packages

NVDf5/big-ip_analytics13.1.013.1.4+3
NVDf5/big-ip_link_controller13.1.013.1.4+3
NVDf5/big-ip_ssl_orchestrator13.1.013.1.4+3
NVDf5/big-ip_domain_name_system13.1.013.1.4+3
NVDf5/big-ip_ddos_hybrid_defender13.1.013.1.4+3

🔴Vulnerability Details

2
GHSA
GHSA-6x77-892j-xm83: On BIG-IP 152022-05-24
CVEList
CVE-2021-23015: On BIG-IP 152021-05-10

📋Vendor Advisories

1
F5
CVE-2021-23015: On BIG-IP 152021-05-10
CVE-2021-23015 — Incorrect Authorization in F5 | cvebase