Unrestricted Snapshot File Access in F5 BIG-IP Configuration Utility
CVE-2018-15333

5.5MEDIUM

Key Information:

Vendor
F5
Status
Big-ip (ltm, Aam, Afm, Analytics, Apm, Asm, Dns, Edge Gateway, Fps, Gtm, Link Controller, Pem, Webaccelerator)
Vendor
CVE Published:
28 December 2018

Summary

The F5 BIG-IP web application allows users with any role, including the guest role, to access and download sensitive snapshot files from the configuration utility. This includes files like QKView and TCPDumps, which may contain critical information about the system's configuration and operational data. If exploited, this vulnerability could lead to unauthorized disclosure of sensitive data, compromising the security and integrity of the system.

Affected Version(s)

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) All versions 11.2.1+

References

https://support.f5.com/csp/article/K53620021
x_refsource_CONFIRM
http://www.securityfocus.com/bid/106380
vdb-entryx_refsource_BID
https://support.f5.com/csp/article/K53620021?utm_source=f...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.