Details of VAR-201907-0137

ID

VAR-201907-0137

CVE

CVE-2019-6639

TITLE

BIG-IP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006056

DESCRIPTION

On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS. Multiple F5 BIG-IP Products are prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The following products and versions are affected: F5 BIG-IP AFM version 11.5.0 to 11.5.8, version 11.6.0 to 11.6.3, version 12.1.0 to 12.1.4, version 13.0.0 to 13.1.1, version 14.0. 0 to 14.1.0 versions; F5 BIG-IP PEM versions 11.5.0 to 11.5.8, 11.6.0 to 11.6.3 versions, 12.1.0 to 12.1.4 versions, 13.0.0 to 13.1.1 versions, 14.0. 0 to version 14.1.0

Trust: 2.07

sources: NVD: CVE-2019-6639 // JVNDB: JVNDB-2019-006056 // BID: 109064 // VULHUB: VHN-158074 // VULMON: CVE-2019-6639

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.6.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	11.5.9	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.0.0.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	13.1.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	11.5.9	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.5.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	11.5.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	12.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	11.6.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.0.6	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip policy enforcement manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1.0.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.1.0.1	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	14.0.0.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.1.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.1.3	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.1.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.0.8	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	13.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.3.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.3.2	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.8	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.7	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.1.0.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	14.0.0.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1.3	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.1.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.8	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	13.1.0.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.7	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.3.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	12.1.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.2	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.6.0	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	eq	version:	11.5.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	11.6.4	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	11.5.9	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	14.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	14.0.0.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	13.1.1.5	Trust: 0.3
vendor:	f5	model:	big-ip pem	scope:	ne	version:	12.1.4.1	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	11.6.4	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	11.5.9	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.1.0.6	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	14.0.0.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	13.1.1.5	Trust: 0.3
vendor:	f5	model:	big-ip afm	scope:	ne	version:	12.1.4.1	Trust: 0.3

sources: BID: 109064 // JVNDB: JVNDB-2019-006056 // NVD: CVE-2019-6639

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6639
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6639
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201907-046
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-158074
value:	LOW
Trust: 0.1
VULMON:	CVE-2019-6639
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2019-6639
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-158074
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6639
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.7
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2019-6639
baseSeverity:	MEDIUM
baseScore:	4.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-158074 // VULMON: CVE-2019-6639 // JVNDB: JVNDB-2019-006056 // CNNVD: CNNVD-201907-046 // NVD: CVE-2019-6639

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-158074 // JVNDB: JVNDB-2019-006056 // NVD: CVE-2019-6639

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-046

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-046

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-006056

PATCH

title:	K61002104	url:	https://support.f5.com/csp/article/K61002104	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94282	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2019-6639	Trust: 0.1

sources: VULMON: CVE-2019-6639 // JVNDB: JVNDB-2019-006056 // CNNVD: CNNVD-201907-046

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6639	Trust: 2.9
db:	BID	id:	109064	Trust: 2.1
db:	JVNDB	id:	JVNDB-2019-006056	Trust: 0.8
db:	CNNVD	id:	CNNVD-201907-046	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.2410	Trust: 0.6
db:	VULHUB	id:	VHN-158074	Trust: 0.1
db:	VULMON	id:	CVE-2019-6639	Trust: 0.1

sources: VULHUB: VHN-158074 // VULMON: CVE-2019-6639 // BID: 109064 // JVNDB: JVNDB-2019-006056 // CNNVD: CNNVD-201907-046 // NVD: CVE-2019-6639

REFERENCES

url:	https://support.f5.com/csp/article/k61002104	Trust: 2.1
url:	http://www.securityfocus.com/bid/109064	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6639	Trust: 1.4
url:	http://www.f5.com/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6639	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-29665	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2019.2410/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://github.com/live-hack-cve/cve-2019-6639	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-158074 // VULMON: CVE-2019-6639 // BID: 109064 // JVNDB: JVNDB-2019-006056 // CNNVD: CNNVD-201907-046 // NVD: CVE-2019-6639

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 109064

SOURCES

db:	VULHUB	id:	VHN-158074
db:	VULMON	id:	CVE-2019-6639
db:	BID	id:	109064
db:	JVNDB	id:	JVNDB-2019-006056
db:	CNNVD	id:	CNNVD-201907-046
db:	NVD	id:	CVE-2019-6639

LAST UPDATE DATE

2024-11-23T22:44:57.470000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-158074	date:	2023-02-16T00:00:00
db:	VULMON	id:	CVE-2019-6639	date:	2023-02-16T00:00:00
db:	BID	id:	109064	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-006056	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201907-046	date:	2019-07-12T00:00:00
db:	NVD	id:	CVE-2019-6639	date:	2024-11-21T04:46:51.653

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-158074	date:	2019-07-03T00:00:00
db:	VULMON	id:	CVE-2019-6639	date:	2019-07-03T00:00:00
db:	BID	id:	109064	date:	2019-07-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-006056	date:	2019-07-09T00:00:00
db:	CNNVD	id:	CNNVD-201907-046	date:	2019-07-02T00:00:00
db:	NVD	id:	CVE-2019-6639	date:	2019-07-03T19:15:13.347