SQL Injection Vulnerability in F5 BIG-IP Application Security Manager
CVE-2021-23040

8.8HIGH

Key Information:

Vendor: F5
Status: Big-ip Afm
Vendor: CVE Published:; 14 September 2021

What is CVE-2021-23040?

A SQL injection vulnerability exists in a hidden page of the BIG-IP Configuration utility for F5 BIG-IP AFM. This flaw is only present when BIG-IP AFM is provisioned, enabling potential attackers to execute unauthorized SQL commands, which could compromise data integrity and security. It affects several versions of the software, necessitating prompt updates to mitigate security risks.

Affected Version(s)

BIG-IP AFM 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x

References

https://support.f5.com/csp/article/K94255403

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2021
Vulnerability Reserved
Jan 6, 2021