Sign-up

ID

VAR-202201-1959


CVE

CVE-2022-23031


TITLE

plural  F5 Networks  In the product  XML  External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2022-004256

DESCRIPTION

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP FPS , ASM , Advanced WAF for, XML There is a vulnerability in an external entity.Information may be obtained. F5 BIG-IP is an application delivery platform of F5 that integrates functions such as network traffic orchestration, load balancing, intelligent DNS, and remote access policy management

Trust: 1.8

sources: NVD: CVE-2022-23031 // JVNDB: JVNDB-2022-004256 // VULHUB: VHN-411902 // VULMON: CVE-2022-23031

AFFECTED PRODUCTS

vendor:f5model:big-ip advanced web application firewallscope:lteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:eqversion:16.1.1

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope:ltversion:5.1.x

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope:eqversion:15.1.4

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.x

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.1.x

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope:eqversion:14.1.4.4

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-004256 // NVD: CVE-2022-23031

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-23031
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-23031
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202201-1638
value: MEDIUM

Trust: 0.6

VULHUB: VHN-411902
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-23031
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-23031
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-411902
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-23031
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-23031
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-411902 // VULMON: CVE-2022-23031 // JVNDB: JVNDB-2022-004256 // CNNVD: CNNVD-202201-1638 // NVD: CVE-2022-23031

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

problemtype:XML Improper restriction of external entity references (CWE-611) [NVD evaluation ]

Trust: 0.8

sources: VULHUB: VHN-411902 // JVNDB: JVNDB-2022-004256 // NVD: CVE-2022-23031

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202201-1638

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202201-1638

PATCH

title:K61112120url:https://my.f5.com/manage/s/article/K61112120

Trust: 0.8

title:F5 BIG-IP Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=178867

Trust: 0.6

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-23305

Trust: 0.1

title:CVE-2022-XXXXurl:https://github.com/AlphabugX/CVE-2022-RCE

Trust: 0.1

sources: VULMON: CVE-2022-23031 // JVNDB: JVNDB-2022-004256 // CNNVD: CNNVD-202201-1638

EXTERNAL IDS

db:NVDid:CVE-2022-23031

Trust: 3.4

db:JVNDBid:JVNDB-2022-004256

Trust: 0.8

db:CS-HELPid:SB2022011948

Trust: 0.6

db:CNNVDid:CNNVD-202201-1638

Trust: 0.6

db:CNVDid:CNVD-2022-70618

Trust: 0.1

db:VULHUBid:VHN-411902

Trust: 0.1

db:VULMONid:CVE-2022-23031

Trust: 0.1

sources: VULHUB: VHN-411902 // VULMON: CVE-2022-23031 // JVNDB: JVNDB-2022-004256 // CNNVD: CNNVD-202201-1638 // NVD: CVE-2022-23031

REFERENCES

url:https://support.f5.com/csp/article/k61112120

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-23031

Trust: 1.4

url:https://vigilance.fr/vulnerability/f5-big-ip-external-xml-entity-injection-via-configuration-utility-37302

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022011948

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/611.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://github.com/alphabugx/cve-2022-23305

Trust: 0.1

sources: VULHUB: VHN-411902 // VULMON: CVE-2022-23031 // JVNDB: JVNDB-2022-004256 // CNNVD: CNNVD-202201-1638 // NVD: CVE-2022-23031

SOURCES

db:VULHUBid:VHN-411902
db:VULMONid:CVE-2022-23031
db:JVNDBid:JVNDB-2022-004256
db:CNNVDid:CNNVD-202201-1638
db:NVDid:CVE-2022-23031

LAST UPDATE DATE

2024-11-23T22:54:43.811000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-411902date:2022-02-01T00:00:00
db:VULMONid:CVE-2022-23031date:2022-02-01T00:00:00
db:JVNDBid:JVNDB-2022-004256date:2023-04-04T00:52:00
db:CNNVDid:CNNVD-202201-1638date:2022-02-22T00:00:00
db:NVDid:CVE-2022-23031date:2024-11-21T06:47:50.727

SOURCES RELEASE DATE

db:VULHUBid:VHN-411902date:2022-01-25T00:00:00
db:VULMONid:CVE-2022-23031date:2022-01-25T00:00:00
db:JVNDBid:JVNDB-2022-004256date:2023-04-04T00:00:00
db:CNNVDid:CNNVD-202201-1638date:2022-01-19T00:00:00
db:NVDid:CVE-2022-23031date:2022-01-25T20:15:10.007