Details of VAR-201907-0065

ID

VAR-201907-0065

CVE

CVE-2019-6620

TITLE

BIG-IP and BIG-IQ Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-005932

DESCRIPTION

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user. BIG-IP and BIG-IQ Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. F5 BIG-IP is an application delivery platform that integrates the functions of network traffic management, application security management, load balancing and other functions of the F5 company in the United States. There is a command injection vulnerability in F5 BIG-IP and BIG-IQ. This vulnerability originates from the process of constructing executable commands by external input data. Network systems or products do not properly filter special elements. Attackers can use this vulnerability to execute illegal commands. The following products and versions are affected: F5 BIG-IP 14.1.0 to 14.1.0.5, 14.0.0 to 14.0.0.5, 13.0.0 to 13.1.1.4, 12.1.0 to 12.1.4.1 , 11.5.1 to 11.6.4; BIG-IQ 6.0.0 to 6.1.0, 5.1.0 to 5.4.0

Trust: 2.25

sources: NVD: CVE-2019-6620 // JVNDB: JVNDB-2019-005932 // CNVD: CNVD-2019-30625 // VULHUB: VHN-158055

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-30625

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	5.4.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	6.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	5.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip webaccelerator	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip edge gateway	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	11.5.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip webaccelerator	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-iq	scope:	gte	version:	5.1.0,<=5.4.0	Trust: 0.6
vendor:	f5	model:	big-iq	scope:	gte	version:	6.0.0,<=6.1.0	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	11.5.1,<=11.6.4	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	12.1.0,<=12.1.4.1	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	13.0.0,<=13.1.1.4	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	14.0.0,<=14.0.0.5	Trust: 0.6
vendor:	f5	model:	big-ip	scope:	gte	version:	14.1.0,<=14.1.0.5	Trust: 0.6

sources: CNVD: CNVD-2019-30625 // JVNDB: JVNDB-2019-005932 // NVD: CVE-2019-6620

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6620
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-6620
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-30625
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201907-065
value:	HIGH
Trust: 0.6
VULHUB:	VHN-158055
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6620
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-30625
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-158055
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6620
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-30625 // VULHUB: VHN-158055 // JVNDB: JVNDB-2019-005932 // CNNVD: CNNVD-201907-065 // NVD: CVE-2019-6620

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-158055 // JVNDB: JVNDB-2019-005932 // NVD: CVE-2019-6620

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-065

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201907-065

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-005932

PATCH

title:	K20445457	url:	https://support.f5.com/csp/article/K20445457	Trust: 0.8
title:	Patch for F5 BIG-IP command injection vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/179261	Trust: 0.6

sources: CNVD: CNVD-2019-30625 // JVNDB: JVNDB-2019-005932

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6620	Trust: 3.1
db:	JVNDB	id:	JVNDB-2019-005932	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-065	Trust: 0.7
db:	CNVD	id:	CNVD-2019-30625	Trust: 0.6
db:	AUSCERT	id:	ESB-2019.2408	Trust: 0.6
db:	VULHUB	id:	VHN-158055	Trust: 0.1

sources: CNVD: CNVD-2019-30625 // VULHUB: VHN-158055 // JVNDB: JVNDB-2019-005932 // CNNVD: CNNVD-201907-065 // NVD: CVE-2019-6620

REFERENCES

url:	https://support.f5.com/csp/article/k20445457	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6620	Trust: 1.4
url:	https://support.f5.com/csp/article/k44885536	Trust: 1.2
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6620	Trust: 0.8
url:	https://support.f5.com/csp/article/k67825238	Trust: 0.6
url:	https://support.f5.com/csp/article/k79902360	Trust: 0.6
url:	https://support.f5.com/csp/article/k20541896	Trust: 0.6
url:	https://support.f5.com/csp/article/k22384173	Trust: 0.6
url:	https://support.f5.com/csp/article/k29149494	Trust: 0.6
url:	https://support.f5.com/csp/article/k68151373	Trust: 0.6
url:	https://support.f5.com/csp/article/k00432398	Trust: 0.6
url:	https://support.f5.com/csp/article/k64855220	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2408/	Trust: 0.6

sources: CNVD: CNVD-2019-30625 // VULHUB: VHN-158055 // JVNDB: JVNDB-2019-005932 // CNNVD: CNNVD-201907-065 // NVD: CVE-2019-6620

SOURCES

db:	CNVD	id:	CNVD-2019-30625
db:	VULHUB	id:	VHN-158055
db:	JVNDB	id:	JVNDB-2019-005932
db:	CNNVD	id:	CNNVD-201907-065
db:	NVD	id:	CVE-2019-6620

LAST UPDATE DATE

2024-11-23T21:38:13.191000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-30625	date:	2019-09-06T00:00:00
db:	VULHUB	id:	VHN-158055	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-005932	date:	2019-07-04T00:00:00
db:	CNNVD	id:	CNNVD-201907-065	date:	2020-10-28T00:00:00
db:	NVD	id:	CVE-2019-6620	date:	2024-11-21T04:46:49.337

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-30625	date:	2019-09-06T00:00:00
db:	VULHUB	id:	VHN-158055	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-005932	date:	2019-07-04T00:00:00
db:	CNNVD	id:	CNNVD-201907-065	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2019-6620	date:	2019-07-02T21:15:11.307