Details of VAR-201308-0053

ID

VAR-201308-0053

CVE

CVE-2013-0150

TITLE

F5 BIG-IP APM and FirePass Directory traversal vulnerability in products such as

Trust: 0.8

sources: JVNDB: JVNDB-2013-003683

DESCRIPTION

Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, FirePass 6.0.0 through 6.1.0 and 7.0.0, and other products "when APM is provisioned," allows remote attackers to upload and execute arbitrary files via a .. (dot dot) in the filename parameter. F5 BIG-IP APM and FirePass are prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. A remote attacker can use directory-traversal strings to overwrite arbitrary files in the context of the affected applications. The following versions are vulnerable: F5 BIG-IP APM 10.1.0 through 10.2.4 F5 BIG-IP APM 11.0.0 through 11.3.0 F5 FirePass 6.0.0 through 6.1.0 and 7.0.0. F5 BIG-IP Access Policy Manager (APM) and FirePass SSL VPN (FirePass) are both products of the US company F5. BIG-IP APM is a set of solutions that provide secure unified access to business-critical applications and networks. FirePass is a product that provides secure remote access to internal enterprise applications and data

Trust: 1.98

sources: NVD: CVE-2013-0150 // JVNDB: JVNDB-2013-003683 // BID: 61202 // VULHUB: VHN-60152

AFFECTED PRODUCTS

vendor:	f5	model:	firepass	scope:	eq	version:	7.0.0	Trust: 1.8
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip wan optimization manager	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip wan optimization manager	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	eq	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip protocol security module	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	firepass	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip protocol security module	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip wan optimization manager	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	eq	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip protocol security module	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip protocol security module	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	firepass	scope:	lte	version:	6.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	10.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	10.2.4	Trust: 1.0
vendor:	f5	model:	big-ip wan optimization manager	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.3.0	Trust: 1.0
vendor:	f5	model:	firepass	scope:	eq	version:	6.0	Trust: 0.9
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.1.0 to 10.2.4	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.0.0 to 11.3.0	Trust: 0.8
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.0 to 6.1.0	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.0.0	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.3.0	Trust: 0.6
vendor:	f5	model:	firepass	scope:	eq	version:	6.1.0	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.2.4	Trust: 0.6
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	10.1.0	Trust: 0.6
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.3	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	7.0	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.1	Trust: 0.3
vendor:	f5	model:	firepass	scope:	eq	version:	6.0.2.3	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.0	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	10.2.4	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	10.1	Trust: 0.3
vendor:	f5	model:	firepass hf-420103-1	scope:	ne	version:	7.0.0	Trust: 0.3
vendor:	f5	model:	firepass hf-420103-1	scope:	ne	version:	6.1.0	Trust: 0.3
vendor:	f5	model:	big-ip apm 11.2.0-hf7	scope:	ne	version:	-	Trust: 0.3
vendor:	f5	model:	big-ip apm 10.2.4-hf7	scope:	ne	version:	-	Trust: 0.3

sources: BID: 61202 // JVNDB: JVNDB-2013-003683 // CNNVD: CNNVD-201308-136 // NVD: CVE-2013-0150

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-0150
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-0150
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201308-136
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-60152
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-0150
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-60152
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-60152 // JVNDB: JVNDB-2013-003683 // CNNVD: CNNVD-201308-136 // NVD: CVE-2013-0150

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-60152 // JVNDB: JVNDB-2013-003683 // NVD: CVE-2013-0150

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201308-136

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201308-136

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003683

PATCH

title:

SOL14468: Client-side component flaw - CVE-2013-0150

url:

http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14468.html

Trust: 0.8

sources: JVNDB: JVNDB-2013-003683

EXTERNAL IDS

db:	NVD	id:	CVE-2013-0150	Trust: 2.8
db:	SECUNIA	id:	53477	Trust: 1.7
db:	JVNDB	id:	JVNDB-2013-003683	Trust: 0.8
db:	CNNVD	id:	CNNVD-201308-136	Trust: 0.7
db:	BID	id:	61202	Trust: 0.4
db:	VULHUB	id:	VHN-60152	Trust: 0.1

sources: VULHUB: VHN-60152 // BID: 61202 // JVNDB: JVNDB-2013-003683 // CNNVD: CNNVD-201308-136 // NVD: CVE-2013-0150

REFERENCES

url:	http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14468.html	Trust: 2.0
url:	https://nealpoole.com/blog/2013/07/code-execution-via-f5-networks-java-applet/	Trust: 2.0
url:	http://secunia.com/advisories/53477	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0150	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0150	Trust: 0.8
url:	http://www.f5.com/products/big-ip/	Trust: 0.3
url:	http://www.f5.com/	Trust: 0.3

sources: VULHUB: VHN-60152 // BID: 61202 // JVNDB: JVNDB-2013-003683 // CNNVD: CNNVD-201308-136 // NVD: CVE-2013-0150

CREDITS

Neal Poole

Trust: 0.3

sources: BID: 61202

SOURCES

db:	VULHUB	id:	VHN-60152
db:	BID	id:	61202
db:	JVNDB	id:	JVNDB-2013-003683
db:	CNNVD	id:	CNNVD-201308-136
db:	NVD	id:	CVE-2013-0150

LAST UPDATE DATE

2024-08-14T14:21:17.483000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-60152	date:	2013-08-12T00:00:00
db:	BID	id:	61202	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003683	date:	2013-08-13T00:00:00
db:	CNNVD	id:	CNNVD-201308-136	date:	2013-08-22T00:00:00
db:	NVD	id:	CVE-2013-0150	date:	2023-12-14T16:08:02.297

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-60152	date:	2013-08-09T00:00:00
db:	BID	id:	61202	date:	2013-06-26T00:00:00
db:	JVNDB	id:	JVNDB-2013-003683	date:	2013-08-13T00:00:00
db:	CNNVD	id:	CNNVD-201308-136	date:	2013-08-22T00:00:00
db:	NVD	id:	CVE-2013-0150	date:	2013-08-09T20:56:06.917