iControl SOAP vulnerability

CVE-2023-22374

8.5HIGH

Key Information

Vendor: F5
Status: BIG-IP
Vendor: CVE Published:; 1 February 2023

Summary

A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Version(s)

BIG-IP < 17.1.0

BIG-IP < 16.1.3.4

BIG-IP < 15.1.8.2

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Feb 1, 2023
Vulnerability Reserved.
Jan 13, 2023

Collectors

NVD DatabaseMitre Database

Credit

F5 acknowledges Ron Bowes of Rapid7 for bringing this issue to our attention and following the highest standards of coordinated disclosure.