CVE-2022-23026 - OpenCVE

On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Advanced Web Application Firewall Big-ip Application Acceleration Manager

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::

References

Link	Resource
https://support.f5.com/csp/article/K08402414	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: f5

Published: 2022-01-25T19:11:26

Updated: 2022-01-25T19:11:26

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-23026

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-25T20:15:09.787

Modified: 2022-02-01T17:29:18.473

Link: CVE-2022-23026

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "BIG-IP ASM & Advanced WAF", "vendor": "n/a", "versions": [{"status": "affected", "version": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x"}]}], "descriptions": [{"lang": "en", "value": "On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-25T19:11:26", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.f5.com/csp/article/K08402414"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "ID": "CVE-2022-23026", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIG-IP ASM & Advanced WAF", "version": {"version_data": [{"version_value": "16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K08402414", "refsource": "MISC", "url": "https://support.f5.com/csp/article/K08402414"}]}}}}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2022-23026", "datePublished": "2022-01-25T19:11:26", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2022-01-25T19:11:26", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "DB47609C-87B6-4471-A5BD-CD942598BCB9", "versionEndIncluding": "12.1.6", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4C23715-2E2A-4FC6-8303-007AA2355779", "versionEndIncluding": "13.1.4", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2A1BB14-BEB5-43DD-878D-83E51FBFD4E0", "versionEndIncluding": "14.1.4", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FC62A19-61E7-4C91-826F-366CAAE3E322", "versionEndIncluding": "15.1.4", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "37298BED-18BB-41AB-BA0A-18FE6B0F9692", "versionEndIncluding": "16.1.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "8AF5B8C5-98F2-45B5-A877-C3666E3D6876", "versionEndIncluding": "12.1.6", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDDC86D0-B9D6-42AE-959E-CC40C6F275EE", "versionEndIncluding": "13.1.4", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B90B84E-0BAA-465E-A4D3-20902772B951", "versionEndIncluding": "14.1.4", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "A905ECB4-41C3-4B28-98C1-2AA51C54C14C", "versionEndIncluding": "15.1.4", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "984AD4A5-D31A-44F7-9775-E4F81AE891FF", "versionEndIncluding": "16.1.1", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "En BIG-IP ASM & Advanced WAF versi\u00f3n 16.1.x anteriores a 16.1.2, 15.1.x anteriores a 15.1.4.1, 14.1.x anteriores a 14.1.4.5, y todas las versiones de 13.1.x y 12.1.x, un usuario autenticado con bajos privilegios, como un invitado, puede cargar datos usando un endpoint REST no revelado causando un aumento en el uso de recursos del disco. Nota: Las versiones de software que han alcanzado el Fin de Soporte T\u00e9cnico (EoTS) no son evaluadas"}], "id": "CVE-2022-23026", "lastModified": "2022-02-01T17:29:18.473", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-25T20:15:09.787", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K08402414"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}