⚠ Actively exploited

Added to CISA KEV on 2023-10-31. Federal agencies required to patch by 2023-11-21. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-46748 — SQL Injection in F5 Big-ip Access Policy Manager

CWE-89 — SQL Injection CWE-288 — Authentication Bypass Using an Alternate Path or Channel7 documents6 sources

Severity

8.8HIGHNVD

VulnCheck9.8CISA9.8

EPSS

4.3%

top 11.04%

CISA KEV

KEV

Added 2023-10-31

Due 2023-11-21

Exploit

Exploited in wild

Active exploitation observed

Affected products

F5 Big-ip F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +18 more

Timeline

PublishedOct 26

KEV addedOct 31

KEV dueNov 21

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages21 packages

▶NVDf5/big-ip_domain_name_system13.1.0 — 13.1.5+4

▶NVDf5/big-ip_access_policy_manager13.1.0 — 13.1.5+4

▶NVDf5/big-ip_application_visibility_and_reporting13.1.0 — 13.1.5+4

▶CVEListV5f5/big-ip17.1.0 — *+4

▶NVDf5/big-ip_websafe13.1.0 — 13.1.5+4

🔴Vulnerability Details

GHSA

GHSA-9h42-3pgf-qjc8: An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access↗2023-10-26

▶

CVEList

BIG-IP Configuration utility authenticated SQL injection vulnerability↗2023-10-26

▶

VulnCheck

F5 BIG-IP Configuration Utility SQL Injection Vulnerability↗2023

▶

📋Vendor Advisories

CISA

F5 BIG-IP Configuration Utility SQL Injection Vulnerability↗2023-10-31

▶

CISA

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability↗2023-10-31

▶

CVE-2023-46748: An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenti...↗2023-10-26

▶

External resources

NVD MITRE CISA KEV

Affected products21

F5 Big-ip≥ 17.1.0, < *≥ 16.1.0, < *≥ 15.1.0, < *+2 more

F5 Big-ip Access Policy Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Advanced Firewall Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Advanced WEB Application Firewall≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Analytics≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Acceleration Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Security Manager≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Application Visibility AND Reporting≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Automation Toolchain≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

F5 Big-ip Carrier-grade NAT≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5≥ 15.1.0, ≤ 15.1.10+2 more

Disclosure

PublishedOct 26, 2023

KEV addedOct 31, 2023

KEV dueNov 21, 2023