CVE-2020-5905 - OpenCVE

In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Policy Enforcement Manager Big-ip Analytics Big-ip Access Policy Manager Big-ip Link Controller Big-ip Application Acceleration Manager Big-ip Fraud Protection Service Big-ip Domain Name System Big-ip Global Traffic Manager Big-ip Advanced Firewall Manager Big-ip Local Traffic Manager Big-ip Application Security Manager

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::

References

Link	Resource
https://support.f5.com/csp/article/K07051153	Vendor Advisory
https://www.kb.cert.org/vuls/id/290915	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: f5

Published: 2020-07-01T14:40:49

Updated: 2020-07-08T21:06:14

Reserved: 2020-01-06T00:00:00

Link: CVE-2020-5905

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-01T15:15:15.593

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-5905

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "1F82C168-C3F0-4E5A-9465-4C9BE57FE888", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "26EA444C-FA23-40A7-98C7-404DC8E5611F", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "8088D322-514B-49C3-9041-7FCD6902A0E6", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "74330249-E08A-4DAB-AB9F-13BE634D74DA", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9A86305-2292-40FB-A984-9B15F7A079F0", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "5415B126-600B-4200-AA87-AFB434BFAE9F", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "46F2C7CC-928E-418F-9033-AF84835EF588", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7A79CD5-DF43-4D88-928B-0145CAD4069D", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "714EE4A8-ACA0-40A5-B183-34D08591A82B", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACC3FDE8-EFD4-4D92-89BD-40A0F6304965", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "583BE9A4-928A-4347-994B-2E7F2B2AAD30", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In version 11.6.1-11.6.5.2 of the BIG-IP system Configuration utility Network > WCCP page, the system does not sanitize all user-provided data before display."}, {"lang": "es", "value": "En la versi\u00f3n 11.6.1 hasta 11.6.5.2 de la p\u00e1gina Network > WCCP de la utilidad de configuraci\u00f3n del sistema BIG-IP, el sistema no sanea todos los datos proporcionados por el usuario antes de desplegarlos"}], "id": "CVE-2020-5905", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-01T15:15:15.593", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K07051153"}, {"source": "f5sirt@f5.com", "tags": ["Third Party Advisory"], "url": "https://www.kb.cert.org/vuls/id/290915"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}