Details of VAR-201903-0192

ID

VAR-201903-0192

CVE

CVE-2019-6599

TITLE

BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-002604

DESCRIPTION

In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting (XSS) attack. BIG-IP Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. F5 BIG-IP APM and Enterprise Manager are prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following products of F5 BIG-IP are vulnerable: F5 BIG-IP APM versions 11.6.1 through 11.6.3 and 11.5.1 through 11.5.8 are vulnerable. F5 BIG-IP Enterprise Manager version 3.1.1 is vulnerable. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. escape. A remote attacker could exploit this vulnerability to make the content of the affected page inaccessible or to damage the content

Trust: 1.98

sources: NVD: CVE-2019-6599 // JVNDB: JVNDB-2019-002604 // BID: 107420 // VULHUB: VHN-158034

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.5.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	enterprise manager	scope:	eq	version:	3.1.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip apm hf3	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf2	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip apm hf11	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm hf10	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip apm hf1	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip apm hf6	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	ne	version:	11.5.9	Trust: 0.3
vendor:	f5	model:	big-ip apm	scope:	ne	version:	11.6.3.3	Trust: 0.3

sources: BID: 107420 // JVNDB: JVNDB-2019-002604 // NVD: CVE-2019-6599

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6599
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6599
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201903-429
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158034
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6599
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-158034
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6599
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-158034 // JVNDB: JVNDB-2019-002604 // CNNVD: CNNVD-201903-429 // NVD: CVE-2019-6599

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-158034 // JVNDB: JVNDB-2019-002604 // NVD: CVE-2019-6599

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-429

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201903-429

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002604

PATCH

title:	K46401178	url:	https://support.f5.com/csp/article/K46401178	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90045	Trust: 0.6

sources: JVNDB: JVNDB-2019-002604 // CNNVD: CNNVD-201903-429

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6599	Trust: 2.8
db:	BID	id:	107420	Trust: 2.0
db:	JVNDB	id:	JVNDB-2019-002604	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-429	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.0772	Trust: 0.6
db:	VULHUB	id:	VHN-158034	Trust: 0.1

sources: VULHUB: VHN-158034 // BID: 107420 // JVNDB: JVNDB-2019-002604 // CNNVD: CNNVD-201903-429 // NVD: CVE-2019-6599

REFERENCES

url:	https://support.f5.com/csp/article/k46401178	Trust: 2.0
url:	http://www.securityfocus.com/bid/107420	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6599	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6599	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/76866	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-cross-site-scripting-via-json-response-28722	Trust: 0.6
url:	http://www.f5.com/	Trust: 0.3

sources: VULHUB: VHN-158034 // BID: 107420 // JVNDB: JVNDB-2019-002604 // CNNVD: CNNVD-201903-429 // NVD: CVE-2019-6599

CREDITS

The vendor reported this issue.

Trust: 0.9

sources: BID: 107420 // CNNVD: CNNVD-201903-429

SOURCES

db:	VULHUB	id:	VHN-158034
db:	BID	id:	107420
db:	JVNDB	id:	JVNDB-2019-002604
db:	CNNVD	id:	CNNVD-201903-429
db:	NVD	id:	CVE-2019-6599

LAST UPDATE DATE

2024-11-23T22:58:46.258000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158034	date:	2019-03-18T00:00:00
db:	BID	id:	107420	date:	2019-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-002604	date:	2019-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201903-429	date:	2019-03-22T00:00:00
db:	NVD	id:	CVE-2019-6599	date:	2024-11-21T04:46:46.753

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158034	date:	2019-03-13T00:00:00
db:	BID	id:	107420	date:	2019-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2019-002604	date:	2019-04-11T00:00:00
db:	CNNVD	id:	CNNVD-201903-429	date:	2019-03-12T00:00:00
db:	NVD	id:	CVE-2019-6599	date:	2019-03-13T22:29:00.520