Sign-up

ID

VAR-201812-0374


CVE

CVE-2018-15334


TITLE

APM webtop Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2018-012906

DESCRIPTION

A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require re-authentication. F5 BIG-IP APM is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests. An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. The following versions of BIG-IP APM are vulnerable: 14.0.0 through 14.1.0 13.0.0 through 13.1.1 12.1.0 through 12.1.3 11.5.1 through 11.6.3. F5 BIG-IP Access Policy Manager (APM) is a set of access and security solutions from F5 Corporation of the United States. The solution provides unified access to business-critical applications and networks. APM webtop is one of the access portals

Trust: 1.98

sources: NVD: CVE-2018-15334 // JVNDB: JVNDB-2018-012906 // BID: 106364 // VULHUB: VHN-125583

AFFECTED PRODUCTS

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:13.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.5.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.8

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.7

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.2

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:14.0.0

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.5

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.1

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.6

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.1

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.3

Trust: 0.6

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0.4

Trust: 0.6

sources: JVNDB: JVNDB-2018-012906 // CNNVD: CNNVD-201812-1174 // NVD: CVE-2018-15334

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-15334
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-15334
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201812-1174
value: MEDIUM

Trust: 0.6

VULHUB: VHN-125583
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-15334
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-125583
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-15334
baseSeverity: MEDIUM
baseScore: 4.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: LOW
exploitabilityScore: 2.8
impactScore: 1.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-125583 // JVNDB: JVNDB-2018-012906 // CNNVD: CNNVD-201812-1174 // NVD: CVE-2018-15334

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-125583 // JVNDB: JVNDB-2018-012906 // NVD: CVE-2018-15334

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-1174

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201812-1174

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-012906

PATCH
title:K74114570url:https://support.f5.com/csp/article/K74114570
Trust: 0.8
title:APM webtop Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88207
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-012906 // 
            
            
            
            CNNVD: CNNVD-201812-1174

EXTERNAL IDS
db:NVDid:CVE-2018-15334
Trust: 2.5
db:BIDid:106364
Trust: 1.4
db:JVNDBid:JVNDB-2018-012906
Trust: 0.8
db:CNNVDid:CNNVD-201812-1174
Trust: 0.7
db:VULHUBid:VHN-125583
Trust: 0.1
sources:
            
            
            VULHUB: VHN-125583 // 
            
            
            
            BID: 106364 // 
            
            
            
            JVNDB: JVNDB-2018-012906 // 
            
            
            
            CNNVD: CNNVD-201812-1174 // 
            
            
            
            NVD: CVE-2018-15334

REFERENCES
url:https://support.f5.com/csp/article/k74114570
Trust: 1.7
url:http://www.securityfocus.com/bid/106364
Trust: 1.1
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-15334
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-15334
Trust: 0.8
sources:
            
            
            VULHUB: VHN-125583 // 
            
            
            
            JVNDB: JVNDB-2018-012906 // 
            
            
            
            CNNVD: CNNVD-201812-1174 // 
            
            
            
            NVD: CVE-2018-15334

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 106364

SOURCES
db:VULHUBid:VHN-125583
db:BIDid:106364
db:JVNDBid:JVNDB-2018-012906
db:CNNVDid:CNNVD-201812-1174
db:NVDid:CVE-2018-15334

LAST UPDATE DATE
2024-11-23T22:51:53.870000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-125583date:2019-01-04T00:00:00
db:BIDid:106364date:2018-12-28T00:00:00
db:JVNDBid:JVNDB-2018-012906date:2019-02-08T00:00:00
db:CNNVDid:CNNVD-201812-1174date:2019-01-07T00:00:00
db:NVDid:CVE-2018-15334date:2024-11-21T03:50:35.363

SOURCES RELEASE DATE
db:VULHUBid:VHN-125583date:2018-12-28T00:00:00
db:BIDid:106364date:2018-12-28T00:00:00
db:JVNDBid:JVNDB-2018-012906date:2019-02-08T00:00:00
db:CNNVDid:CNNVD-201812-1174date:2018-12-29T00:00:00
db:NVDid:CVE-2018-15334date:2018-12-28T15:29:00.437