CVE-2019-6679

EPSS 0.09%
Published 23.12.2019 18:15:11
Last modified 21.11.2024 04:46:56
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, 13.1.1.5-13.1.3.1, 12.1.4.1-12.1.5, 11.6.4-11.6.5, and 11.5.9-11.5.10, the access controls implemented by scp.whitelist and scp.blacklist are not properly enforced for paths that are symlinks. This allows authenticated users with SCP access to overwrite certain configuration files that would otherwise be restricted.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Access Policy Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Access Policy Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Access Policy Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Access Policy Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Access Policy Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Access Policy Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Advanced Firewall Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Advanced Firewall Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Advanced Firewall Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Analytics Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Analytics Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Analytics Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Analytics Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Analytics Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Analytics Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Analytics Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Application Acceleration Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Application Acceleration Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Application Acceleration Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Application Security Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Application Security Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Application Security Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Application Security Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Application Security Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Application Security Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Application Security Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Domain Name System Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Domain Name System Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Domain Name System Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Domain Name System Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Domain Name System Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Domain Name System Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Domain Name System Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Edge Gateway Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Edge Gateway Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Edge Gateway Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Edge Gateway Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Edge Gateway Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Edge Gateway Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Edge Gateway Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Fraud Protection Service Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Fraud Protection Service Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Fraud Protection Service Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Fraud Protection Service Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Fraud Protection Service Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Fraud Protection Service Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Fraud Protection Service Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Global Traffic Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Global Traffic Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Global Traffic Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Global Traffic Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Global Traffic Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Global Traffic Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Global Traffic Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Link Controller Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Link Controller Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Link Controller Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Link Controller Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Link Controller Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Link Controller Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Link Controller Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Local Traffic Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Local Traffic Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Local Traffic Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Local Traffic Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Local Traffic Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Local Traffic Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Local Traffic Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Policy Enforcement Manager Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Policy Enforcement Manager Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Policy Enforcement Manager Version >= 15.0.0 < 15.0.1.1

F5 ≫ Big-ip Webaccelerator Version >= 11.5.9 <= 11.5.10

F5 ≫ Big-ip Webaccelerator Version >= 11.6.4 < 11.6.5.1

F5 ≫ Big-ip Webaccelerator Version >= 12.1.4.1 <= 12.1.5

F5 ≫ Big-ip Webaccelerator Version >= 13.1.1.5 < 13.1.3.2

F5 ≫ Big-ip Webaccelerator Version >= 14.0.0.5 < 14.0.1.1

F5 ≫ Big-ip Webaccelerator Version >= 14.1.0.2 < 14.1.2.3

F5 ≫ Big-ip Webaccelerator Version >= 15.0.0 < 15.0.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.238

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	3.6	3.9	4.9	AV:L/AC:L/Au:N/C:N/I:P/A:P

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://support.f5.com/csp/article/K54336216

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-6679

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-6679

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-6679

EUVD