CVE-2023-22283 — Uncontrolled Search Path Element in F5 APM Clients

CWE-427 — Uncontrolled Search Path Element4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 75.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 APM Clients F5 Big-ip Access Policy Manager

Timeline

PublishedFeb 1

Description

On versions beginning in 7.1.5 to before 7.2.3.1, a DLL hijacking vulnerability exists in the BIG-IP Edge Client for Windows. User interaction and administrative privileges are required to exploit this vulnerability because the victim user needs to run the executable on the system and the attacker requires administrative privileges for modifying the files in the trusted search path. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5f5/apm_clients7.1.5 — 7.2.3.1

▶NVDf5/big-ip_access_policy_manager7.2.2 — 7.2.3.1+5

🔴Vulnerability Details

CVEList

BIG-IP Edge Client for Windows vulnerability↗2023-02-01

▶

GHSA

GHSA-w4h2-j6vw-9v7g: On versions beginning in 7↗2023-02-01

▶

📋Vendor Advisories

CVE-2023-22283: On versions beginning in 7↗2023-02-01

▶