Sign-up

ID

VAR-202102-0805


CVE

CVE-2021-22980


TITLE

Edge Client  and  Windows  for  BIG-IP APM Client Troubleshooting Utility  Untrusted search path vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2021-003896

DESCRIPTION

In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could allow an attacker to load a malicious DLL library from its current directory. User interaction is required to exploit this vulnerability in that the victim must run this utility on the Windows system. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated

Trust: 1.71

sources: NVD: CVE-2021-22980 // JVNDB: JVNDB-2021-003896 // VULHUB: VHN-381466

AFFECTED PRODUCTS

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:15.1.2

Trust: 1.0

vendor:f5model:access policy manager clientsscope:gteversion:7.1.9

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:access policy manager clientsscope:gteversion:7.1.5

Trust: 1.0

vendor:f5model:access policy manager clientsscope:ltversion:7.1.8.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.3.6

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:access policy manager clientsscope:ltversion:7.2.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:access policy manager clientsscope:gteversion:7.2.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:14.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:access policy manager clientsscope:ltversion:7.1.9.8

Trust: 1.0

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:access policy manager clientsscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-003896 // NVD: CVE-2021-22980

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-22980
value: HIGH

Trust: 1.0

NVD: CVE-2021-22980
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202102-1065
value: HIGH

Trust: 0.6

VULHUB: VHN-381466
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-22980
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-381466
severity: MEDIUM
baseScore: 6.9
vectorString: AV:L/AC:M/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-22980
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-22980
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381466 // JVNDB: JVNDB-2021-003896 // CNNVD: CNNVD-202102-1065 // NVD: CVE-2021-22980

PROBLEMTYPE DATA

problemtype:CWE-426

Trust: 1.1

problemtype:Untrusted search path (CWE-426) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381466 // JVNDB: JVNDB-2021-003896 // NVD: CVE-2021-22980

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202102-1065

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202102-1065

PATCH

title:K29282483url:https://support.f5.com/csp/article/K29282483

Trust: 0.8

title:Edge Client Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142623

Trust: 0.6

sources: JVNDB: JVNDB-2021-003896 // CNNVD: CNNVD-202102-1065

EXTERNAL IDS

db:NVDid:CVE-2021-22980

Trust: 2.5

db:JVNDBid:JVNDB-2021-003896

Trust: 0.8

db:AUSCERTid:ESB-2021.0507

Trust: 0.6

db:CNNVDid:CNNVD-202102-1065

Trust: 0.6

db:VULHUBid:VHN-381466

Trust: 0.1

sources: VULHUB: VHN-381466 // JVNDB: JVNDB-2021-003896 // CNNVD: CNNVD-202102-1065 // NVD: CVE-2021-22980

REFERENCES

url:https://support.f5.com/csp/article/k29282483

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2021-22980

Trust: 1.4

url:https://www.auscert.org.au/bulletins/esb-2021.0507

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-apm-executing-dll-code-via-client-troubleshooting-utility-34558

Trust: 0.6

sources: VULHUB: VHN-381466 // JVNDB: JVNDB-2021-003896 // CNNVD: CNNVD-202102-1065 // NVD: CVE-2021-22980

SOURCES

db:VULHUBid:VHN-381466
db:JVNDBid:JVNDB-2021-003896
db:CNNVDid:CNNVD-202102-1065
db:NVDid:CVE-2021-22980

LAST UPDATE DATE

2024-11-23T23:07:39.699000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381466date:2021-02-19T00:00:00
db:JVNDBid:JVNDB-2021-003896date:2021-11-09T09:02:00
db:CNNVDid:CNNVD-202102-1065date:2021-03-09T00:00:00
db:NVDid:CVE-2021-22980date:2024-11-21T05:51:03.643

SOURCES RELEASE DATE

db:VULHUBid:VHN-381466date:2021-02-12T00:00:00
db:JVNDBid:JVNDB-2021-003896date:2021-11-09T00:00:00
db:CNNVDid:CNNVD-202102-1065date:2021-02-11T00:00:00
db:NVDid:CVE-2021-22980date:2021-02-12T18:15:12.737