CVE-2022-23031 — XML External Entity (XXE) Injection in F5 Big-ip Advanced WEB Application Firewall

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

0.4%

top 40.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Advanced WEB Application Firewall F5 Big-ip Application Security Manager F5 Big-ip Fraud Protection Service

Timeline

PublishedJan 25

Latest updateJan 26

Description

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which ha…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDf5/big-ip_advanced_web_application_firewall14.1.0 — 14.1.4+2

▶NVDf5/big-ip_application_security_manager14.1.0 — 14.1.4+2

▶NVDf5/big-ip_fraud_protection_service14.1.0 — 14.1.4+2

🔴Vulnerability Details

GHSA

GHSA-6j94-pvhj-7f99: On BIG-IP FPS, ASM, and Advanced WAF versions 16↗2022-01-26

▶

CVEList

CVE-2022-23031: On BIG-IP FPS, ASM, and Advanced WAF versions 16↗2022-01-25

▶

📋Vendor Advisories

CVE-2022-23031: On BIG-IP FPS, ASM, and Advanced WAF versions 16↗2022-01-25

▶