BIG-IP Configuration Utility vulnerability

CVE-2023-41373

9.9CRITICAL

Key Information

Vendor: F5
Status: Big-ip
Vendor: CVE Published:; 10 October 2023

Summary

A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Version(s)

BIG-IP < 17.1.0.3

BIG-IP < 16.1.4.1

BIG-IP < 15.1.10.2

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Risk change from: 8.8 to: 9.9 - (CRITICAL)
Sep 19, 2024
Risk change from: 9.9 to: 8.8 - (HIGH)
Sep 19, 2024
Risk change from: 8.8 to: 9.9 - (CRITICAL)
Sep 19, 2024
Risk change from: 9.9 to: 8.8 - (HIGH)
Sep 19, 2024
Risk change from: 8.8 to: 9.9 - (CRITICAL)
Sep 19, 2024
Risk change from: 9.9 to: 8.8 - (HIGH)
Sep 19, 2024
Risk change from: 8.8 to: 9.9 - (CRITICAL)
Sep 19, 2024
Risk change from: 9.9 to: 8.8 - (HIGH)
Sep 19, 2024
Risk change from: 8.8 to: 9.9 - (CRITICAL)
Sep 19, 2024
Risk change from: 9.9 to: 8.8 - (HIGH)
Sep 19, 2024
Vulnerability published.
Oct 10, 2023
Vulnerability Reserved.
Oct 5, 2023

Collectors

NVD DatabaseMitre Database

Credit

F5 acknowledges Alex Birnberg working with Trend Micro Zero Day Initiative for bringing this issue to our attention and following the highest standards of coordinated disclosure.