CVE-2022-27806

CWE-77 — Command Injection4 documents4 sources

Severity

7.2HIGH

EPSS

0.7%

top 28.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip Guided Configuration (gc)F5 Big-ip Guided Configuration F5 Big-ip Access Policy Manager +2 more

Timeline

PublishedMay 5

Latest updateMay 6

Description

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:NExploitability: 2.3 | Impact: 5.8

Affected Packages5 packages

▶NVDf5/big-ip_guided_configuration< 9.0

▶CVEListV5f5/big-ip_guided_configuration_(gc)All — 9.0

▶NVDf5/big-ip_advanced_web_application_firewall18 versions+17

▶NVDf5/big-ip_access_policy_manager18 versions+17

▶NVDf5/big-ip_application_security_manager18 versions+17

🔴Vulnerability Details

GHSA

GHSA-7gpj-49pv-jr3x: On all versions of 16↗2022-05-06

▶

CVEList

CVE-2022-27806: On all versions of 16↗2022-05-05

▶

📋Vendor Advisories

CVE-2022-27806: On all versions of 16↗2022-05-05

▶