Details of VAR-201903-0018

ID

VAR-201903-0018

CVE

CVE-2019-6607

TITLE

BIG-IP ASM Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2019-003218

DESCRIPTION

On BIG-IP ASM 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, there is a stored cross-site scripting vulnerability in an ASM violation viewed in the Configuration utility. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. BIG-IP ASM Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 Networks BIG-IP Application Security Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. BIG-IP ASM versions 11.5.1 through 11.5.8, 11.6.1 through 11.6.3, 12.1.0 through 12.1.3, 13.0.0 through 13.1.1.3 and 14.0.0 through 14.0.0.2 are vulnerable. F5 BIG-IP Application Security Manager (ASM) is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects emails, simplifies Web access control, and enhances network and application performance. A remote attacker could exploit this vulnerability to inject malicious scripts

Trust: 1.98

sources: NVD: CVE-2019-6607 // JVNDB: JVNDB-2019-003218 // BID: 107630 // VULHUB: VHN-158042

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	14.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.5.1 to 11.5.8	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.6.1 to 11.6.3	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.0 to 12.1.3	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.0.0 to 13.1.1.3	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.0.0 to 14.0.0.2	Trust: 0.8
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip asm hf3	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm build	scope:	eq	version:	11.5.40.1.256	Trust: 0.3
vendor:	f5	model:	big-ip asm hf2	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf6	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf11	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm hf10	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm build	scope:	eq	version:	11.5.110.104.180	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	14.0.0.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.1.2	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.0.8	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	13.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip asm hf1	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	14.1	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	12.1.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	11.6.4	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	11.5.9	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	14.0.0.3	Trust: 0.3
vendor:	f5	model:	big-ip asm	scope:	ne	version:	13.1.1.4	Trust: 0.3

sources: BID: 107630 // JVNDB: JVNDB-2019-003218 // NVD: CVE-2019-6607

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6607
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6607
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201903-846
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158042
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6607
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158042
severity:	MEDIUM
baseScore:	6.0
vectorString:	AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	6.8
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6607
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158042 // JVNDB: JVNDB-2019-003218 // CNNVD: CNNVD-201903-846 // NVD: CVE-2019-6607

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-158042 // JVNDB: JVNDB-2019-003218 // NVD: CVE-2019-6607

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-846

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201903-846

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003218

PATCH

title:	K14812883	url:	https://support.f5.com/csp/article/K14812883	Trust: 0.8
title:	F5 BIG-IP ASM Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90329	Trust: 0.6

sources: JVNDB: JVNDB-2019-003218 // CNNVD: CNNVD-201903-846

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6607	Trust: 2.8
db:	BID	id:	107630	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-003218	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-846	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.0934	Trust: 0.6
db:	CNVD	id:	CNVD-2020-61644	Trust: 0.1
db:	VULHUB	id:	VHN-158042	Trust: 0.1

sources: VULHUB: VHN-158042 // BID: 107630 // JVNDB: JVNDB-2019-003218 // CNNVD: CNNVD-201903-846 // NVD: CVE-2019-6607

REFERENCES

url:	https://support.f5.com/csp/article/k14812883	Trust: 2.0
url:	http://www.securityfocus.com/bid/107630	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6607	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6607	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/77570	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-asm-cross-site-scripting-via-viewed-asm-violation-28817	Trust: 0.6
url:	http://www.f5.com/products/big-ip/big-ip-application-security-manager/overview	Trust: 0.3

sources: VULHUB: VHN-158042 // BID: 107630 // JVNDB: JVNDB-2019-003218 // CNNVD: CNNVD-201903-846 // NVD: CVE-2019-6607

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 107630

SOURCES

db:	VULHUB	id:	VHN-158042
db:	BID	id:	107630
db:	JVNDB	id:	JVNDB-2019-003218
db:	CNNVD	id:	CNNVD-201903-846
db:	NVD	id:	CVE-2019-6607

LAST UPDATE DATE

2024-11-23T23:11:55.335000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158042	date:	2019-04-05T00:00:00
db:	BID	id:	107630	date:	2019-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-003218	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201903-846	date:	2019-04-08T00:00:00
db:	NVD	id:	CVE-2019-6607	date:	2024-11-21T04:46:47.667

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158042	date:	2019-03-28T00:00:00
db:	BID	id:	107630	date:	2019-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-003218	date:	2019-05-13T00:00:00
db:	CNNVD	id:	CNNVD-201903-846	date:	2019-03-22T00:00:00
db:	NVD	id:	CVE-2019-6607	date:	2019-03-28T21:29:00.773