CVE-2021-23029Server-Side Request Forgery in F5 Big-ip Advanced WEB Application Firewall

CWE-918Server-Side Request Forgery4 documents4 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 48.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
F5 Big-ip Advanced WEB Application FirewallF5 Big-ip Application Security Manager
Timeline
PublishedSep 14
Latest updateMay 24

Description

On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-xg8c-mw7j-wcv9: On version 162022-05-24
CVEList
CVE-2021-23029: On version 162021-09-14

📋Vendor Advisories

1
F5
CVE-2021-23029: On version 162021-09-14
CVE-2021-23029 — Server-Side Request Forgery in F5 | cvebase