Details of VAR-202102-0809

ID

VAR-202102-0809

CVE

CVE-2021-22984

TITLE

BIG-IP Advanced WAF and ASM Open redirect vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-003601

DESCRIPTION

On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. BIG-IP Advanced WAF and ASM Contains an open redirect vulnerability.Information may be obtained and information may be tampered with. F5 BIG-IP ASM is a Web Application Firewall (WAF) of F5 Corporation in the United States, which provides secure remote access, protects emails, simplifies Web access control, and enhances network and application performance. There are security vulnerabilities in BIG-IP Advanced WAF and ASM. There is no information about this vulnerability at present. Please keep an eye on CNNVD or manufacturer announcements

Trust: 1.71

sources: NVD: CVE-2021-22984 // JVNDB: JVNDB-2021-003601 // VULHUB: VHN-381470

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.2.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	11.6.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	11.6.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	14.1.2.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	12.1.5.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	15.1.0.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	12.1.5.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.3.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	13.1.3.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.0.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	15.0.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.0.1.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	13.1.3.4	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	11.6.x	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	12.1.x	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.x	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.x	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	11.6.5.2	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	15.1.0.2	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	12.1.5.2	Trust: 0.8
vendor:	f5	model:	big-ip advanced web application firewall	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	eq	version:	14.1.2.5	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.0.x	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.x	Trust: 0.8

sources: JVNDB: JVNDB-2021-003601 // NVD: CVE-2021-22984

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-22984
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-22984
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202102-1108
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-381470
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-22984
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-381470
severity:	MEDIUM
baseScore:	5.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-22984
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-22984
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381470 // JVNDB: JVNDB-2021-003601 // CNNVD: CNNVD-202102-1108 // NVD: CVE-2021-22984

PROBLEMTYPE DATA

problemtype:	CWE-601	Trust: 1.1
problemtype:	Open redirect (CWE-601) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381470 // JVNDB: JVNDB-2021-003601 // NVD: CVE-2021-22984

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202102-1108

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202102-1108

PATCH

title:	K33440533	url:	https://support.f5.com/csp/article/K33440533	Trust: 0.8
title:	F5 BIG-IP ASM Enter the fix for the verification error vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=142377	Trust: 0.6

sources: JVNDB: JVNDB-2021-003601 // CNNVD: CNNVD-202102-1108

EXTERNAL IDS

db:	NVD	id:	CVE-2021-22984	Trust: 2.5
db:	JVNDB	id:	JVNDB-2021-003601	Trust: 0.8
db:	CNNVD	id:	CNNVD-202102-1108	Trust: 0.6
db:	VULHUB	id:	VHN-381470	Trust: 0.1

sources: VULHUB: VHN-381470 // JVNDB: JVNDB-2021-003601 // CNNVD: CNNVD-202102-1108 // NVD: CVE-2021-22984

REFERENCES

url:	https://support.f5.com/csp/article/k33440533	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-22984	Trust: 1.4

sources: VULHUB: VHN-381470 // JVNDB: JVNDB-2021-003601 // CNNVD: CNNVD-202102-1108 // NVD: CVE-2021-22984

SOURCES

db:	VULHUB	id:	VHN-381470
db:	JVNDB	id:	JVNDB-2021-003601
db:	CNNVD	id:	CNNVD-202102-1108
db:	NVD	id:	CVE-2021-22984

LAST UPDATE DATE

2024-11-23T21:34:51.538000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381470	date:	2021-02-18T00:00:00
db:	JVNDB	id:	JVNDB-2021-003601	date:	2021-10-29T02:01:00
db:	CNNVD	id:	CNNVD-202102-1108	date:	2021-03-09T00:00:00
db:	NVD	id:	CVE-2021-22984	date:	2024-11-21T05:51:04.060

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381470	date:	2021-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2021-003601	date:	2021-10-29T00:00:00
db:	CNNVD	id:	CNNVD-202102-1108	date:	2021-02-12T00:00:00
db:	NVD	id:	CVE-2021-22984	date:	2021-02-12T20:15:13.800