CVE-2024-21782

CWE-78OS Command Injection4 documents4 sources
Severity
6.7MEDIUM
EPSS
0.1%
top 78.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
14
F5 Big-ipF5 Big-iqF5 Big-ip Access Policy Manager+11 more
Timeline
PublishedFeb 14

Description

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages14 packages

NVDf5/big-ip_access_policy_manager15.1.015.1.9+2
NVDf5/big-ip_advanced_firewall_manager15.1.015.1.9+2
CVEListV5f5/big-ip17.1.017.1.1+2
CVEListV5f5/big-iq8.0.0*
NVDf5/big-ip_analytics15.1.015.1.9+2

🔴Vulnerability Details

2
CVEList
BIG-IP and BIG-IQ secure copy vulnerability2024-02-14
GHSA
GHSA-45mm-4h6g-jrc9: BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced2024-02-14

📋Vendor Advisories

1
F5
CVE-2024-21782: BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility bu...2024-02-14