Details of VAR-202105-0647

ID

VAR-202105-0647

CVE

CVE-2021-23012

TITLE

BIG-IP Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-007011

DESCRIPTION

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Contains a command injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. BIG-IP has an input validation error vulnerability that arises from insufficient validation of user-supplied input. The following products and versions are affected: BIG-IP: 13.1.0, 13.1.0.4, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.1.0 , 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99 .6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1 .2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1. 0.99.4-ENG Hotfix, 14

Trust: 2.34

sources: NVD: CVE-2021-23012 // JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381498 // VULMON: CVE-2021-23012

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lte	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip global traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	16.0.1.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced web application firewall	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip global traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23012
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-23012
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-2131
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381498
value:	HIGH
Trust: 0.1
VULMON:	CVE-2021-23012
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-23012
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-381498
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23012
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.5
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2021-23012
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // NVD: CVE-2021-23012

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	Command injection (CWE-77) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-381498 // JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202104-2131

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	K04234247	url:	https://support.f5.com/csp/article/K04234247	Trust: 0.8
title:	F5 BIG-IP Fixes for command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151778	Trust: 0.6

sources: JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-2131

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23012	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-007011	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021042912	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1454	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-2131	Trust: 0.6
db:	VULHUB	id:	VHN-381498	Trust: 0.1
db:	VULMON	id:	CVE-2021-23012	Trust: 0.1

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // NVD: CVE-2021-23012

REFERENCES

url:	https://support.f5.com/csp/article/k04234247	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23012	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042912	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1454	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-shell-command-execution-35196	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/77.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // NVD: CVE-2021-23012

SOURCES

db:	VULHUB	id:	VHN-381498
db:	VULMON	id:	CVE-2021-23012
db:	JVNDB	id:	JVNDB-2021-007011
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-2131
db:	NVD	id:	CVE-2021-23012

LAST UPDATE DATE

2024-08-14T13:04:12.883000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381498	date:	2022-06-28T00:00:00
db:	VULMON	id:	CVE-2021-23012	date:	2021-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-007011	date:	2022-01-31T03:11:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-2131	date:	2022-03-08T00:00:00
db:	NVD	id:	CVE-2021-23012	date:	2022-06-28T14:11:45.273

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381498	date:	2021-05-10T00:00:00
db:	VULMON	id:	CVE-2021-23012	date:	2021-05-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-007011	date:	2022-01-31T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-2131	date:	2021-04-29T00:00:00
db:	NVD	id:	CVE-2021-23012	date:	2021-05-10T15:15:07.427