Details of VAR-202106-1419

ID

VAR-202106-1419

CVE

CVE-2021-23024

TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IQ is a set of software-based cloud management solutions from F5 Corporation of the United States. The solution supports the deployment of application delivery and network services across public and private clouds, traditional data centers and hybrid environments. A command injection vulnerability exists in BIG-IQ Centralized Management due to improper input validation applied in the configuration utility. Remote administrators can pass specially crafted data to the application and execute arbitrary commands on the target system. The following products and versions are affected: BIG-IQ Centralized Management: 6.0.0, 6.0.1, 7.0.0, 7.0.0.2, 8.0.0

Trust: 1.53

sources: NVD: CVE-2021-23024 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381510

AFFECTED PRODUCTS

vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	7.1.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	8.0.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lt	version:	8.0.0.1	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	7.0.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	lte	version:	6.1.0	Trust: 1.0
vendor:	f5	model:	big-iq centralized management	scope:	gte	version:	6.0.0	Trust: 1.0

sources: NVD: CVE-2021-23024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-23024
value:	HIGH
Trust: 1.0
CNNVD:	CNNVD-202104-975
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202106-130
value:	HIGH
Trust: 0.6
VULHUB:	VHN-381510
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-23024
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-381510
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-23024
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-381510 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-130 // NVD: CVE-2021-23024

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2021-23024

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-130

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:

F5 BIG-IQ Centralized Management Fixes for command injection vulnerabilities

url:

http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=154703

Trust: 0.6

sources: CNNVD: CNNVD-202106-130

EXTERNAL IDS

db:	NVD	id:	CVE-2021-23024	Trust: 1.7
db:	PACKETSTORM	id:	163264	Trust: 1.7
db:	CS-HELP	id:	SB2021041363	Trust: 0.6
db:	CNNVD	id:	CNNVD-202104-975	Trust: 0.6
db:	CS-HELP	id:	SB2021060209	Trust: 0.6
db:	AUSCERT	id:	ESB-2021.1884	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-130	Trust: 0.6
db:	VULHUB	id:	VHN-381510	Trust: 0.1

sources: VULHUB: VHN-381510 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-130 // NVD: CVE-2021-23024

REFERENCES

url:	http://packetstormsecurity.com/files/163264/f5-big-iq-ve-8.0.0-2923215-remote-root.html	Trust: 1.7
url:	https://support.f5.com/csp/article/k06024431	Trust: 1.7
url:	https://www.cybersecurity-help.cz/vdb/sb2021041363	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2021060209	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2021.1884	Trust: 0.6

sources: VULHUB: VHN-381510 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202106-130 // NVD: CVE-2021-23024

SOURCES

db:	VULHUB	id:	VHN-381510
db:	CNNVD	id:	CNNVD-202104-975
db:	CNNVD	id:	CNNVD-202106-130
db:	NVD	id:	CVE-2021-23024

LAST UPDATE DATE

2024-08-14T12:50:10.402000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-381510	date:	2021-09-20T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-14T00:00:00
db:	CNNVD	id:	CNNVD-202106-130	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2021-23024	date:	2021-09-20T13:50:32.627

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-381510	date:	2021-06-10T00:00:00
db:	CNNVD	id:	CNNVD-202104-975	date:	2021-04-13T00:00:00
db:	CNNVD	id:	CNNVD-202106-130	date:	2021-06-02T00:00:00
db:	NVD	id:	CVE-2021-23024	date:	2021-06-10T15:15:09.150