CVE-2021-23031 — OS Command Injection in F5 Big-ip Advanced WEB Application Firewall

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.9CRITICALNVD

EPSS

0.5%

top 34.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Advanced WEB Application Firewall F5 Big-ip Application Security Manager

Timeline

PublishedSep 14

Latest updateMay 24

Description

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶NVDf5/big-ip_advanced_web_application_firewall11.6.1 — 11.6.5.2+5

▶NVDf5/big-ip_application_security_manager11.6.1 — 11.6.5.2+5

🔴Vulnerability Details

GHSA

GHSA-9qcg-p796-2q2v: On version 16↗2022-05-24

▶

CVEList

CVE-2021-23031: On version 16↗2021-09-14

▶

📋Vendor Advisories

CVE-2021-23031: On version 16↗2021-09-14

▶