CVE-2023-42768

CWE-613 — Insufficient Session Expiration4 documents4 sources

Severity

7.2HIGH

EPSS

0.4%

top 37.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +17 more

Timeline

PublishedOct 10

Description

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages20 packages

▶NVDf5/big-ip_access_policy_manager15.1.0 — 15.1.9+3

▶CVEListV5f5/big-ip16.1.0 — 16.1.4+3

▶NVDf5/big-ip_websafe15.1.0 — 15.1.9+3

▶NVDf5/big-ip_analytics15.1.0 — 15.1.9+3

▶NVDf5/big-ip_edge_gateway15.1.0 — 15.1.9+3

🔴Vulnerability Details

GHSA

GHSA-6944-qqg6-vmm7: When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-adm↗2023-10-10

▶

CVEList

BIG-IP iControl REST vulnerability↗2023-10-10

▶

📋Vendor Advisories

CVE-2023-42768: When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's r...↗2023-10-10

▶

External resources

NVD MITRE

Affected products20

F5 Big-ip≥ 16.1.0, < 16.1.4≥ 15.1.0, < 15.1.9≥ 14.1.0, < *+1 more

F5 Big-ip Access Policy Manager≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Advanced Firewall Manager≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Advanced WEB Application Firewall≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Analytics≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Application Acceleration Manager≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Application Security Manager≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Application Visibility AND Reporting≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Carrier-grade NAT≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

F5 Big-ip Ddos Hybrid Defender≥ 15.1.0, < 15.1.9≥ 16.1.0, < 16.1.4≥ 13.1.0, ≤ 13.1.5+1 more

Disclosure

PublishedOct 10, 2023