Details of VAR-202103-0960

ID

VAR-202103-0960

CVE

CVE-2021-23002

TITLE

BIG-IP APM and APM Edge Client Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-005087

DESCRIPTION

When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. BIG-IP APM and APM Edge Client Contains an unspecified vulnerability.Information may be obtained. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. There is a security vulnerability in F5 BIG-IP. Attackers can use this vulnerability to bypass data access restrictions and obtain sensitive information through VPN Session ID

Trust: 1.71

sources: NVD: CVE-2021-23002 // JVNDB: JVNDB-2021-005087 // VULHUB: VHN-381488

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	gte	version:	7.1.9	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	gte	version:	7.1.5	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	lt	version:	7.1.8.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.2.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.3.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	lt	version:	7.2.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	gte	version:	7.2.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	lt	version:	7.1.9.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.x	Trust: 0.8
vendor:	f5	model:	access policy manager clients	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.2.1	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.3.6	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.0.1.1	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.4	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.0.x	Trust: 0.8

sources: JVNDB: JVNDB-2021-005087 // NVD: CVE-2021-23002

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23002
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-23002
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202103-787
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-381488
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2021-23002
severity:	LOW
baseScore:	2.7
vectorString:	AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.1
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-381488
severity:	LOW
baseScore:	2.7
vectorString:	AV:A/AC:L/AU:S/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	5.1
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23002
baseSeverity:	MEDIUM
baseScore:	4.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-23002
baseSeverity:	MEDIUM
baseScore:	4.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381488 // JVNDB: JVNDB-2021-005087 // CNNVD: CNNVD-202103-787 // NVD: CVE-2021-23002

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-005087 // NVD: CVE-2021-23002

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202103-787

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-787

PATCH

title:	K71891773	url:	https://support.f5.com/csp/article/K71891773	Trust: 0.8
title:	F5 BIG-IP APM Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=146018	Trust: 0.6
title:	F5_Vulnerability	url:	https://github.com/DNTYO/F5_Vulnerability	Trust: 0.1

sources: VULMON: CVE-2021-23002 // JVNDB: JVNDB-2021-005087 // CNNVD: CNNVD-202103-787

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23002	Trust: 2.6
db:	JVNDB	id:	JVNDB-2021-005087	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-787	Trust: 0.7
db:	AUSCERT	id:	ESB-2021.0949	Trust: 0.6
db:	VULHUB	id:	VHN-381488	Trust: 0.1
db:	VULMON	id:	CVE-2021-23002	Trust: 0.1

sources: VULHUB: VHN-381488 // VULMON: CVE-2021-23002 // JVNDB: JVNDB-2021-005087 // CNNVD: CNNVD-202103-787 // NVD: CVE-2021-23002

REFERENCES

url:	https://support.f5.com/csp/article/k71891773	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23002	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2021.0949	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-apm-information-disclosure-via-vpn-session-id-34820	Trust: 0.6
url:	https://github.com/dntyo/f5_vulnerability	Trust: 0.1

sources: VULHUB: VHN-381488 // VULMON: CVE-2021-23002 // JVNDB: JVNDB-2021-005087 // CNNVD: CNNVD-202103-787 // NVD: CVE-2021-23002

SOURCES

db:	VULHUB	id:	VHN-381488
db:	VULMON	id:	CVE-2021-23002
db:	JVNDB	id:	JVNDB-2021-005087
db:	CNNVD	id:	CNNVD-202103-787
db:	NVD	id:	CVE-2021-23002

LAST UPDATE DATE

2024-11-23T22:11:05.565000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381488	date:	2021-04-05T00:00:00
db:	VULMON	id:	CVE-2021-23002	date:	2021-04-05T00:00:00
db:	JVNDB	id:	JVNDB-2021-005087	date:	2021-12-07T09:04:00
db:	CNNVD	id:	CNNVD-202103-787	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2021-23002	date:	2024-11-21T05:51:07.867

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381488	date:	2021-03-31T00:00:00
db:	VULMON	id:	CVE-2021-23002	date:	2021-03-31T00:00:00
db:	JVNDB	id:	JVNDB-2021-005087	date:	2021-12-07T00:00:00
db:	CNNVD	id:	CNNVD-202103-787	date:	2021-03-10T00:00:00
db:	NVD	id:	CVE-2021-23002	date:	2021-03-31T18:15:15.380