CVE-2023-29240 — Incorrect Authorization in F5 Big-iq

CWE-863 — Incorrect Authorization CWE-269 — Improper Privilege Management CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 64.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-iq F5 Big-iq Centralized Management

Timeline

PublishedMay 3

Latest updateJul 6

Description

An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5f5/big-iq8.0.0 — 8.3.0

▶NVDf5/big-iq_centralized_management8.0.0 — 8.3.0

🔴Vulnerability Details

GHSA

GHSA-vgvm-wwrq-c4xw: An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint↗2023-07-06

▶

CVEList

BIG-IQ iControl REST Vulnerability↗2023-05-03

▶

📋Vendor Advisories

CVE-2023-29240: An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclose...↗2023-05-03

▶