CVE-2022-26415

EPSS 0.87%
Published 05.05.2022 17:15:12
Last modified 21.11.2024 06:53:54
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Access Policy Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Access Policy Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Access Policy Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Access Policy Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Advanced Firewall Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Advanced Firewall Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Advanced Firewall Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Advanced Firewall Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Analytics Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Analytics Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Analytics Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Analytics Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Analytics Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Application Acceleration Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Application Acceleration Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Application Acceleration Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Application Acceleration Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Application Security Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Application Security Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Application Security Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Application Security Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Application Security Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Domain Name System Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Domain Name System Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Domain Name System Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Domain Name System Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Domain Name System Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Fraud Protection Service Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Fraud Protection Service Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Fraud Protection Service Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Fraud Protection Service Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Fraud Protection Service Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Global Traffic Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Global Traffic Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Global Traffic Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Global Traffic Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Global Traffic Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Link Controller Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Link Controller Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Link Controller Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Link Controller Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Link Controller Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Local Traffic Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Local Traffic Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Local Traffic Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Local Traffic Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Local Traffic Manager Version >= 16.1.0 < 16.1.2.2

F5 ≫ Big-ip Policy Enforcement Manager Version >= 12.1.0 <= 12.1.6

F5 ≫ Big-ip Policy Enforcement Manager Version >= 13.1.0 < 13.1.5

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.1.0 < 14.1.4.6

F5 ≫ Big-ip Policy Enforcement Manager Version >= 15.1.0 < 15.1.5.1

F5 ≫ Big-ip Policy Enforcement Manager Version >= 16.1.0 < 16.1.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.87%	0.742

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P
f5sirt@f5.com	7.7	1.3	5.8	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://support.f5.com/csp/article/K81952114

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26415

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26415

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26415

EUVD