Description
In versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, When the Advanced WAF / ASM module is provisioned, an authenticated remote code execution vulnerability exists in the BIG-IP iControl REST interface.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- F5 / BIG-IP Advanced WAF & ASM17.0.0 – 17.0.x*
- F5 / BIG-IP Advanced WAF & ASM16.1.x – 16.1.3.1
- F5 / BIG-IP Advanced WAF & ASM15.1.x – 15.1.6.1
- F5 / BIG-IP Advanced WAF & ASM14.1.x – 14.1.5.1
- F5 / BIG-IP Advanced WAF & ASM13.1.x – 13.1.5.1