CVE-2022-26890

EPSS 0.89%
Published 05.05.2022 17:15:12
Last modified 21.11.2024 06:54:44
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version13.1.0

F5 ≫ Big-ip Access Policy Manager Version13.1.1

F5 ≫ Big-ip Access Policy Manager Version13.1.3

F5 ≫ Big-ip Access Policy Manager Version13.1.4

F5 ≫ Big-ip Access Policy Manager Version13.1.5

F5 ≫ Big-ip Access Policy Manager Version14.1.0

F5 ≫ Big-ip Access Policy Manager Version14.1.2

F5 ≫ Big-ip Access Policy Manager Version14.1.3

F5 ≫ Big-ip Access Policy Manager Version14.1.4

F5 ≫ Big-ip Access Policy Manager Version15.1.0

F5 ≫ Big-ip Access Policy Manager Version15.1.1

F5 ≫ Big-ip Access Policy Manager Version15.1.2

F5 ≫ Big-ip Access Policy Manager Version15.1.3

F5 ≫ Big-ip Access Policy Manager Version15.1.4

F5 ≫ Big-ip Access Policy Manager Version15.1.5

F5 ≫ Big-ip Access Policy Manager Version16.1.0

F5 ≫ Big-ip Access Policy Manager Version16.1.1

F5 ≫ Big-ip Access Policy Manager Version16.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.5

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.5

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.2

F5 ≫ Big-ip Application Security Manager Version13.1.0

F5 ≫ Big-ip Application Security Manager Version13.1.1

F5 ≫ Big-ip Application Security Manager Version13.1.3

F5 ≫ Big-ip Application Security Manager Version13.1.4

F5 ≫ Big-ip Application Security Manager Version13.1.5

F5 ≫ Big-ip Application Security Manager Version14.1.0

F5 ≫ Big-ip Application Security Manager Version14.1.2

F5 ≫ Big-ip Application Security Manager Version14.1.3

F5 ≫ Big-ip Application Security Manager Version14.1.4

F5 ≫ Big-ip Application Security Manager Version15.1.0

F5 ≫ Big-ip Application Security Manager Version15.1.1

F5 ≫ Big-ip Application Security Manager Version15.1.2

F5 ≫ Big-ip Application Security Manager Version15.1.3

F5 ≫ Big-ip Application Security Manager Version15.1.4

F5 ≫ Big-ip Application Security Manager Version15.1.5

F5 ≫ Big-ip Application Security Manager Version16.1.0

F5 ≫ Big-ip Application Security Manager Version16.1.1

F5 ≫ Big-ip Application Security Manager Version16.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.89%	0.746

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
f5sirt@f5.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-670 Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

https://support.f5.com/csp/article/K03442392

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-26890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-26890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-26890

EUVD