7.2

CVE-2022-35735

In BIG-IP Versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, an authenticated attacker with Resource Administrator or Manager privileges can create or modify existing monitor objects in the Configuration utility in an undisclosed manner leading to a privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Data is provided by the National Vulnerability Database (NVD)
F5Big-ip Access Policy Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Access Policy Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Access Policy Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Access Policy Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Advanced Firewall Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Advanced Firewall Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Advanced Firewall Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Advanced Firewall Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Analytics Version >= 13.1.0 <= 13.1.5
F5Big-ip Analytics Version >= 14.1.0 < 14.1.5.1
F5Big-ip Analytics Version >= 15.1.0 < 15.1.6.1
F5Big-ip Analytics Version >= 16.1.0 < 16.1.3.1
F5Big-ip Application Acceleration Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Application Acceleration Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Application Acceleration Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Application Acceleration Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Application Security Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Application Security Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Application Security Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Application Security Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Domain Name System Version >= 13.1.0 <= 13.1.5
F5Big-ip Domain Name System Version >= 14.1.0 < 14.1.5.1
F5Big-ip Domain Name System Version >= 15.1.0 < 15.1.6.1
F5Big-ip Domain Name System Version >= 16.1.0 < 16.1.3.1
F5Big-ip Fraud Protection Service Version >= 13.1.0 <= 13.1.5
F5Big-ip Fraud Protection Service Version >= 14.1.0 < 14.1.5.1
F5Big-ip Fraud Protection Service Version >= 15.1.0 < 15.1.6.1
F5Big-ip Fraud Protection Service Version >= 16.1.0 < 16.1.3.1
F5Big-ip Global Traffic Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Global Traffic Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Global Traffic Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Global Traffic Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Link Controller Version >= 13.1.0 <= 13.1.5
F5Big-ip Link Controller Version >= 14.1.0 < 14.1.5.1
F5Big-ip Link Controller Version >= 15.1.0 < 15.1.6.1
F5Big-ip Link Controller Version >= 16.1.0 < 16.1.3.1
F5Big-ip Local Traffic Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Local Traffic Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Local Traffic Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Local Traffic Manager Version >= 16.1.0 < 16.1.3.1
F5Big-ip Policy Enforcement Manager Version >= 13.1.0 <= 13.1.5
F5Big-ip Policy Enforcement Manager Version >= 14.1.0 < 14.1.5.1
F5Big-ip Policy Enforcement Manager Version >= 15.1.0 < 15.1.6.1
F5Big-ip Policy Enforcement Manager Version >= 16.1.0 < 16.1.3.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.63% 0.811
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
f5sirt@f5.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.