Session ID Exposure in BIG-IP APM and Edge Client by F5 Networks
CVE-2021-23002

4.5MEDIUM

Key Information:

Vendor: F5
Status: Big-ip Apm And Edge Client
Vendor: CVE Published:; 31 March 2021

Summary

The F5 BIG-IP APM and Edge Client expose session IDs in the command arguments when launching the VPN from a web browser on Windows systems. This vulnerability affects several versions of both the BIG-IP APM and Edge Client, necessitating coordinated updates for both client and server to mitigate the risks associated with potential interception of session identifiers.

Affected Version(s)

BIG-IP APM and Edge Client BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, all 12.1.x and 11.6.x versions

BIG-IP APM and Edge Client Edge Client 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, 7.1.8.x before 7.1.8.5

References

https://support.f5.com/csp/article/K71891773

x_refsource_MISC

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2021
Vulnerability Reserved
Jan 6, 2021