CVE-2022-27806

EPSS 0.66%
Published 05.05.2022 17:15:13
Last modified 21.11.2024 06:56:13
Source f5sirt@f5.com
Teams watchlist Login
Open Login

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

F5 ≫ Big-ip Access Policy Manager Version13.1.0

F5 ≫ Big-ip Access Policy Manager Version13.1.1

F5 ≫ Big-ip Access Policy Manager Version13.1.3

F5 ≫ Big-ip Access Policy Manager Version13.1.4

F5 ≫ Big-ip Access Policy Manager Version13.1.5

F5 ≫ Big-ip Access Policy Manager Version14.1.0

F5 ≫ Big-ip Access Policy Manager Version14.1.2

F5 ≫ Big-ip Access Policy Manager Version14.1.3

F5 ≫ Big-ip Access Policy Manager Version14.1.4

F5 ≫ Big-ip Access Policy Manager Version15.1.0

F5 ≫ Big-ip Access Policy Manager Version15.1.1

F5 ≫ Big-ip Access Policy Manager Version15.1.2

F5 ≫ Big-ip Access Policy Manager Version15.1.3

F5 ≫ Big-ip Access Policy Manager Version15.1.4

F5 ≫ Big-ip Access Policy Manager Version15.1.5

F5 ≫ Big-ip Access Policy Manager Version16.1.0

F5 ≫ Big-ip Access Policy Manager Version16.1.1

F5 ≫ Big-ip Access Policy Manager Version16.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version13.1.5

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version14.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.2

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.3

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.4

F5 ≫ Big-ip Advanced Web Application Firewall Version15.1.5

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.0

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.1

F5 ≫ Big-ip Advanced Web Application Firewall Version16.1.2

F5 ≫ Big-ip Application Security Manager Version13.1.0

F5 ≫ Big-ip Application Security Manager Version13.1.1

F5 ≫ Big-ip Application Security Manager Version13.1.3

F5 ≫ Big-ip Application Security Manager Version13.1.4

F5 ≫ Big-ip Application Security Manager Version13.1.5

F5 ≫ Big-ip Application Security Manager Version14.1.0

F5 ≫ Big-ip Application Security Manager Version14.1.2

F5 ≫ Big-ip Application Security Manager Version14.1.3

F5 ≫ Big-ip Application Security Manager Version14.1.4

F5 ≫ Big-ip Application Security Manager Version15.1.0

F5 ≫ Big-ip Application Security Manager Version15.1.1

F5 ≫ Big-ip Application Security Manager Version15.1.2

F5 ≫ Big-ip Application Security Manager Version15.1.3

F5 ≫ Big-ip Application Security Manager Version15.1.4

F5 ≫ Big-ip Application Security Manager Version15.1.5

F5 ≫ Big-ip Application Security Manager Version16.1.0

F5 ≫ Big-ip Application Security Manager Version16.1.1

F5 ≫ Big-ip Application Security Manager Version16.1.2

F5 ≫ Big-ip Guided Configuration Version < 9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.66%	0.702

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P
f5sirt@f5.com	8.7	2.3	5.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://support.f5.com/csp/article/K68647001

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-27806

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-27806

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-27806

EUVD