Sign-up

ID

VAR-202008-0944


CVE

CVE-2020-5928


TITLE

BIG-IP ASM Cross-site request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010305

DESCRIPTION

In versions 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.2.6, 13.1.0-13.1.3.4, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, BIG-IP ASM Configuration utility CSRF protection token can be reused multiple times. BIG-IP ASM Exists in a cross-site request forgery vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be put into a state. BIG-IP ASM version between 15.1.0 and 15.1.0.4, version between 15.0.0 and 15.0.1.3, version between 14.1.0 and 14.1.2.3, version between 13.1.0 and 13.1.3.3, version 12.1. There are CSRF vulnerabilities in versions between 0 and 12.1.5.1 and versions between 11.6.1-11.6.5.1. The vulnerability is caused by the fact that the WEB application in BIG-IP ASM does not fully verify whether the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client

Trust: 1.71

sources: NVD: CVE-2020-5928 // JVNDB: JVNDB-2020-010305 // VULHUB: VHN-184053

AFFECTED PRODUCTS

vendor:f5model:big-ip application security managerscope:gteversion:11.5.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.0.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.0.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:12.1.5.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.2.7

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:11.6.1 から 11.6.5.1

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:12.1.0 から 12.1.5.1

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:13.1.0 から 13.1.3.4

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:14.1.0 から 14.1.2.6

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:15.0.0 から 15.0.1.3

Trust: 0.8

vendor:f5model:big-ip application security managerscope:eqversion:15.1.0 から 15.1.0.4

Trust: 0.8

sources: JVNDB: JVNDB-2020-010305 // NVD: CVE-2020-5928

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-5928
value: LOW

Trust: 1.0

NVD: JVNDB-2020-010305
value: LOW

Trust: 0.8

CNNVD: CNNVD-202008-1231
value: LOW

Trust: 0.6

VULHUB: VHN-184053
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-5928
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:N/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-010305
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:N/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-184053
severity: LOW
baseScore: 3.3
vectorString: AV:L/AC:M/AU:N/C:N/I:P/A:P
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.4
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-5928
baseSeverity: LOW
baseScore: 3.1
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 0.6
impactScore: 2.5
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-010305
baseSeverity: LOW
baseScore: 3.1
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-184053 // JVNDB: JVNDB-2020-010305 // CNNVD: CNNVD-202008-1231 // NVD: CVE-2020-5928

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-184053 // JVNDB: JVNDB-2020-010305 // NVD: CVE-2020-5928

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202008-1231

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-202008-1231

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-010305

PATCH
title:K40843345url:https://support.f5.com/csp/article/K40843345
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2020-010305

EXTERNAL IDS
db:NVDid:CVE-2020-5928
Trust: 2.5
db:JVNDBid:JVNDB-2020-010305
Trust: 0.8
db:CNNVDid:CNNVD-202008-1231
Trust: 0.7
db:AUSCERTid:ESB-2020.2926
Trust: 0.6
db:VULHUBid:VHN-184053
Trust: 0.1
sources:
            
            
            VULHUB: VHN-184053 // 
            
            
            
            JVNDB: JVNDB-2020-010305 // 
            
            
            
            CNNVD: CNNVD-202008-1231 // 
            
            
            
            NVD: CVE-2020-5928

REFERENCES
url:https://support.f5.com/csp/article/k40843345
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-5928
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5928
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.2926/
Trust: 0.6
url:https://vigilance.fr/vulnerability/f5-big-ip-cross-site-request-forgery-33157
Trust: 0.6
sources:
            
            
            VULHUB: VHN-184053 // 
            
            
            
            JVNDB: JVNDB-2020-010305 // 
            
            
            
            CNNVD: CNNVD-202008-1231 // 
            
            
            
            NVD: CVE-2020-5928

SOURCES
db:VULHUBid:VHN-184053
db:JVNDBid:JVNDB-2020-010305
db:CNNVDid:CNNVD-202008-1231
db:NVDid:CVE-2020-5928

LAST UPDATE DATE
2024-11-23T22:16:20.685000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-184053date:2020-09-02T00:00:00
db:JVNDBid:JVNDB-2020-010305date:2021-01-06T05:44:22
db:CNNVDid:CNNVD-202008-1231date:2020-10-22T00:00:00
db:NVDid:CVE-2020-5928date:2024-11-21T05:34:50.700

SOURCES RELEASE DATE
db:VULHUBid:VHN-184053date:2020-08-26T00:00:00
db:JVNDBid:JVNDB-2020-010305date:2021-01-06T05:44:22
db:CNNVDid:CNNVD-202008-1231date:2020-08-26T00:00:00
db:NVDid:CVE-2020-5928date:2020-08-26T16:15:13.057