CVE-2023-39447 - OpenCVE

When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Guided Configuration Big-ip Access Policy Manager

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager:17.0.0:::::::*
	cpe:2.3:a:f5:big-ip_guided_configuration::::::::
	cpe:2.3:a:f5:big-ip_guided_configuration:6.0:::::::*
	cpe:2.3:a:f5:big-ip_guided_configuration:8.0:::::::*

References

Link	Resource
https://my.f5.com/manage/s/article/K47756555	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: f5

Published: 2023-10-10T12:32:21.469Z

Updated: 2023-10-10T12:32:21.469Z

Reserved: 2023-10-05T19:17:34.520Z

Link: CVE-2023-39447

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-10T13:15:20.613

Modified: 2023-10-16T18:40:24.253

Link: CVE-2023-39447

JSON object: View

Redhat Information

No data.

CWE

CWE-532

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-39447", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2023-10-05T19:17:34.520Z", "datePublished": "2023-10-10T12:32:21.469Z", "dateUpdated": "2023-10-10T12:32:21.469Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["APM"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "*", "status": "unaffected", "version": "17.1.0", "versionType": "semver"}, {"lessThan": "16.1.4", "status": "affected", "version": "16.1.0", "versionType": "semver"}, {"lessThan": "15.1.8", "status": "affected", "version": "15.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "14.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "13.1.0", "versionType": "semver"}]}, {"defaultStatus": "unknown", "modules": ["Guided Configuration"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "9.0", "status": "affected", "version": "6.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "F5"}], "datePublic": "2023-10-18T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.  \n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n</span><p></p>"}], "value": "\nWhen BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2023-10-10T12:32:21.469Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K47756555"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP APM Guided Configuration vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "48743FD4-1E72-4550-92D6-F06D6D0AF142", "versionEndExcluding": "15.1.8", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8F16422-A642-4614-96F2-E5B4877E8206", "versionEndExcluding": "16.1.4", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD637AF5-F7D1-428F-955E-16756B7476E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_guided_configuration:*:*:*:*:*:*:*:*", "matchCriteriaId": "C36042F8-9B48-4E0D-ABC1-F10BE2A49CB8", "versionEndIncluding": "7.7", "versionStartIncluding": "7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_guided_configuration:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "63E1215D-2724-4249-B0FD-16C32480A11D", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_guided_configuration:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "6AED33D2-594D-4057-A7D5-041665AA6E07", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nWhen BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\n\n\n\n"}, {"lang": "es", "value": "Cuando se configura BIG-IP APM Guided Configurations, es posible que se registre informaci\u00f3n confidencial no divulgada en restnoded log. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se eval\u00faan."}], "id": "CVE-2023-39447", "lastModified": "2023-10-16T18:40:24.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Primary"}]}, "published": "2023-10-10T13:15:20.613", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K47756555"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "f5sirt@f5.com", "type": "Primary"}]}