Details of VAR-202105-1195

ID

VAR-202105-1195

CVE

CVE-2021-23016

TITLE

BIG-IP APM Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-007014

DESCRIPTION

On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP APM Contains an unspecified vulnerability.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IP APM is a set of access and security solutions from F5 Corporation of the United States. The product provides unified access to business-critical applications and networks. BIG-IP APM has an access control error vulnerability due to improper access restrictions. The following products and versions are affected: BIG-IP APM: 11.6.1, 11.6.1 HF1, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0, 12.1.0 HF1, 12.1.1, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.4, 12.1.4 , 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.6, 13.1.0.8, 13.1.1, 13.1 .1.2, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.3.6 2, 14.1.0, 14.1.0.3.0.79.6 ENG Hotfix, 14.1.0.3.0.97.6 ENG Hotfix, 14.1.0.3.0.99.6 ENG Hotfix, 14.1.0.5.0.15.5 ENG Hotfix, 14.1.0.5.0.36.5 ENG Hotfix, 14.1.0.5.0.40.5 ENG Hotfix, 14.1.0.6, 14.1.0.6.0.11.9 ENG Hotfix, 14.1.0.6.0.14.9 ENG Hotfix, 14.1.0.6.0.68.9 ENG Hotfix, 14.1.0.6.0.70.9 ENG Hotfix, 14.1.1, 14.1. 2, 14.1.2-0.89.37, 14.1.2.0.11

Trust: 2.34

sources: NVD: CVE-2021-23016 // JVNDB: JVNDB-2021-007014 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381502 // VULMON: CVE-2021-23016

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	12.1.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.4.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	16.0.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.3	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.4.1	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.4	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.0.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.x	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	13.1.x	Trust: 0.8

sources: JVNDB: JVNDB-2021-007014 // NVD: CVE-2021-23016

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23016
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-23016
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202104-2146
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-381502
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2021-23016
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-23016
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-381502
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23016
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
NVD:	CVE-2021-23016
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-381502 // VULMON: CVE-2021-23016 // JVNDB: JVNDB-2021-007014 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2146 // NVD: CVE-2021-23016

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007014 // NVD: CVE-2021-23016

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-2146

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:	K75540265	url:	https://support.f5.com/csp/article/K75540265	Trust: 0.8
title:	F5 BIG-IP APM Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148895	Trust: 0.6

sources: JVNDB: JVNDB-2021-007014 // CNNVD: CNNVD-202104-2146

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23016	Trust: 3.4
db:	JVNDB	id:	JVNDB-2021-007014	Trust: 0.8
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1449	Trust: 0.6
db:	CS-HELP	id:	SB2021042919	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-2146	Trust: 0.6
db:	VULHUB	id:	VHN-381502	Trust: 0.1
db:	VULMON	id:	CVE-2021-23016	Trust: 0.1

sources: VULHUB: VHN-381502 // VULMON: CVE-2021-23016 // JVNDB: JVNDB-2021-007014 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2146 // NVD: CVE-2021-23016

REFERENCES

url:	https://support.f5.com/csp/article/k75540265	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-23016	Trust: 0.8
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021042919	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-file-reading-via-apm-35199	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1449	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-381502 // VULMON: CVE-2021-23016 // JVNDB: JVNDB-2021-007014 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2146 // NVD: CVE-2021-23016

SOURCES

db:	VULHUB	id:	VHN-381502
db:	VULMON	id:	CVE-2021-23016
db:	JVNDB	id:	JVNDB-2021-007014
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202104-2146
db:	NVD	id:	CVE-2021-23016

LAST UPDATE DATE

2024-08-14T12:31:39.858000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381502	date:	2021-05-24T00:00:00
db:	VULMON	id:	CVE-2021-23016	date:	2021-05-24T00:00:00
db:	JVNDB	id:	JVNDB-2021-007014	date:	2022-01-31T03:11:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202104-2146	date:	2021-05-25T00:00:00
db:	NVD	id:	CVE-2021-23016	date:	2021-05-24T12:46:22.790

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381502	date:	2021-05-10T00:00:00
db:	VULMON	id:	CVE-2021-23016	date:	2021-05-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-007014	date:	2022-01-31T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202104-2146	date:	2021-04-29T00:00:00
db:	NVD	id:	CVE-2021-23016	date:	2021-05-10T15:15:07.523