Command Restriction Bypass in BIG-IP Traffic Management User Interface
CVE-2018-15329

7.2HIGH

Key Information:

Vendor: F5
Status: Big-ip (ltm, Aam, Afm, Analytics, Apm, Asm, Dns, Edge Gateway, Fps, Gtm, Link Controller, Pem, Webaccelerator), Enterprise Manager
Vendor: CVE Published:; 20 December 2018

Summary

In specific versions of F5 BIG-IP and Enterprise Manager, authenticated administrative users are able to execute commands in the Traffic Management User Interface (TMUI) without the proper restrictions being enforced. This vulnerability can be exploited by malicious actors if administrative access is obtained, leading to unauthorized command execution within the system.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator), Enterprise Manager 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 3.1.1

References

https://support.f5.com/csp/article/K61620494

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 20, 2018
Vulnerability Reserved
Aug 14, 2018