Authenticated Remote Command Execution in F5 BIG-IP with Advanced WAF
CVE-2021-22990

7.2HIGH

Key Information:

Vendor: F5
Status: Big-ip Advanced Waf Or Big-ip Asm
Vendor: CVE Published:; 31 March 2021

Summary

A vulnerability exists in the Traffic Management User Interface (TMUI) of F5 BIG-IP systems with Advanced WAF or BIG-IP ASM provisioned, allowing authenticated users to execute remote commands on the affected systems through undisclosed pages. This can lead to unauthorized system control and compromise the integrity of the application.

Affected Version(s)

BIG-IP Advanced WAF or BIG-IP ASM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, 11.6.x before 11.6.5.3

References

https://support.f5.com/csp/article/K45056101

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2021
Vulnerability Reserved
Jan 6, 2021