CVE-2024-45844 — Missing Authentication for Critical Function in F5 Big-ip Access Policy Manager

CWE-306 — Missing Authentication for Critical Function4 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.1%

top 83.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

F5 Big-ip F5 Big-ip Access Policy Manager F5 Big-ip Advanced Firewall Manager +19 more

Timeline

PublishedOct 16

Description

BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages22 packages

▶NVDf5/big-ip_link_controller15.1.0 — 15.1.10.5+2

▶NVDf5/big-ip_access_policy_manager15.1.0 — 15.1.10.5+2

▶NVDf5/big-ip_application_visibility_and_reporting15.1.0 — 15.1.10.5+2

▶CVEListV5f5/big-ip17.1.0 — 17.1.1.4+2

▶NVDf5/big-ip_websafe15.1.0 — 15.1.10.5+2

🔴Vulnerability Details

CVEList

BIG-IP monitors vulnerability↗2024-10-16

▶

GHSA

GHSA-gfc8-6qcc-3mvm: BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings↗2024-10-16

▶

📋Vendor Advisories

CVE-2024-45844: BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lock...↗2024-10-16

▶

External resources

NVD MITRE

Affected products22

F5 Big-ip≥ 17.1.0, < 17.1.1.4≥ 16.1.0, < 16.1.5≥ 15.1.0, < 15.1.10.5

F5 Big-ip Access Policy Manager≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Advanced Firewall Manager≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Advanced WEB Application Firewall≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Analytics≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Application Acceleration Manager≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Application Security Manager≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Application Visibility AND Reporting≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Automation Toolchain≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

F5 Big-ip Carrier-grade NAT≥ 15.1.0, < 15.1.10.5≥ 16.1.0, < 16.1.5≥ 17.1.0, < 17.1.1.4

Disclosure

PublishedOct 16, 2024