CVE-2022-31473 - OpenCVE

In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Access Policy Manager

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.0:::::::*

References

Link	Resource
https://support.f5.com/csp/article/K34893234	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: f5

Published: 2022-08-03T00:00:00

Updated: 2022-08-04T17:45:54

Reserved: 2022-07-19T00:00:00

Link: CVE-2022-31473

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-04T18:15:09.630

Modified: 2022-08-10T23:36:48.057

Link: CVE-2022-31473

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "BIG-IP APM", "vendor": "F5", "versions": [{"lessThan": "13.1.x*", "status": "unaffected", "version": "13.1.0", "versionType": "custom"}, {"lessThan": "14.1.x*", "status": "unaffected", "version": "14.1.0", "versionType": "custom"}, {"lessThan": "15.1.4", "status": "affected", "version": "15.1.x", "versionType": "custom"}, {"lessThan": "16.1.1", "status": "affected", "version": "16.1.x", "versionType": "custom"}, {"lessThan": "17.0.x*", "status": "unaffected", "version": "17.0.0", "versionType": "custom"}]}], "datePublic": "2022-08-03T00:00:00", "descriptions": [{"lang": "en", "value": "In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T17:45:54", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.f5.com/csp/article/K34893234"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP APM Appliance mode vulnerability CVE-2022-31473", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "DATE_PUBLIC": "2022-08-03T14:00:00.000Z", "ID": "CVE-2022-31473", "STATE": "PUBLIC", "TITLE": "BIG-IP APM Appliance mode vulnerability CVE-2022-31473"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIG-IP APM", "version": {"version_data": [{"version_affected": "!>=", "version_name": "13.1.x", "version_value": "13.1.0"}, {"version_affected": "!>=", "version_name": "14.1.x", "version_value": "14.1.0"}, {"version_affected": "<", "version_name": "15.1.x", "version_value": "15.1.4"}, {"version_affected": "<", "version_name": "16.1.x", "version_value": "16.1.1"}, {"version_affected": "!>=", "version_name": "17.0.x", "version_value": "17.0.0"}]}}]}, "vendor_name": "F5"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K34893234", "refsource": "MISC", "url": "https://support.f5.com/csp/article/K34893234"}]}, "source": {"discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2022-31473", "datePublished": "2022-08-03T00:00:00", "dateReserved": "2022-07-19T00:00:00", "dateUpdated": "2022-08-04T17:45:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "0328FE23-1C06-406A-8642-949756256D2A", "versionEndExcluding": "15.1.4", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:16.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EF96CE38-E834-475C-92AD-97D904D8F831", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In BIG-IP Versions 16.1.x before 16.1.1 and 15.1.x before 15.1.4, when running in Appliance mode, an authenticated attacker may be able to bypass Appliance mode restrictions due to a directory traversal vulnerability in an undisclosed page within iApps. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "En BIG-IP versiones 16.1.x anteriores a 16.1.1 y 15.1.x anteriores a 15.1.4, cuando es ejecutado en modo Appliance, un atacante autenticado puede ser capaz de omitir las restricciones del modo Appliance debido a una vulnerabilidad de salto de directorio en una p\u00e1gina no revelada dentro de iApps. Una explotaci\u00f3n con \u00e9xito puede permitir al atacante cruzar un l\u00edmite de seguridad. Nota: Las versiones de software que han alcanzado el Fin del Soporte T\u00e9cnico (EoTS) no son evaluadas"}], "id": "CVE-2022-31473", "lastModified": "2022-08-10T23:36:48.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2022-08-04T18:15:09.630", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K34893234"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "f5sirt@f5.com", "type": "Primary"}]}