CVE-2023-22341 - OpenCVE

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to '/' * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Access Policy Manager

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::

References

Link	Resource
https://my.f5.com/manage/s/article/K20717585	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: f5

Published: 2023-02-01T17:54:17.997Z

Updated:

Reserved: 2023-01-13T06:43:37.170Z

Link: CVE-2023-22341

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-01T18:15:11.137

Modified: 2023-11-07T04:06:51.017

Link: CVE-2023-22341

JSON object: View

Redhat Information

No data.

CWE

CWE-476

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-22341", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2023-01-13T06:43:37.170Z", "datePublished": "2023-02-01T17:54:17.997Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["APM"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "14.1.5.3", "status": "affected", "version": "14.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "affected", "version": "13.1.0", "versionType": "semver"}]}], "datePublic": "2023-02-01T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate:</p><ul><li>An OAuth Server that references an OAuth Provider</li><li>An OAuth profile with the Authorization Endpoint set to '/'</li><li>An access profile that references the above OAuth profile and is associated with an HTTPS virtual server </li></ul>Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.<br>\n\n"}], "value": "On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate:\n\n * An OAuth Server that references an OAuth Provider\n * An OAuth profile with the Authorization Endpoint set to '/'\n * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2023-02-01T17:54:17.997Z"}, "references": [{"url": "https://my.f5.com/manage/s/article/K20717585"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP APM OAuth vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "D93F04AD-DF14-48AB-9F13-8B2E491CF42E", "versionEndIncluding": "13.1.5", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA291DB9-9484-45BA-A5A5-CCC721779149", "versionEndExcluding": "14.1.5.3", "versionStartIncluding": "14.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate:\n\n * An OAuth Server that references an OAuth Provider\n * An OAuth profile with the Authorization Endpoint set to '/'\n * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n"}], "id": "CVE-2023-22341", "lastModified": "2023-11-07T04:06:51.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2023-02-01T18:15:11.137", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K20717585"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}