BIG-IQ iControl REST Vulnerability

CVE-2023-29240

5.4MEDIUM

Key Information

Vendor: F5
Status: BIG-IQ
Vendor: CVE Published:; 3 May 2023

Summary

An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ can upload arbitrary files using an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Version(s)

BIG-IQ < 8.3.0

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
May 3, 2023
Vulnerability Reserved.
Apr 14, 2023

Collectors

NVD DatabaseMitre Database

Credit

F5 acknowledges Mateusz Dąbrowski of ING for bringing this issue to our attention and following the highest standards of coordinated disclosure.