ID

VAR-202205-0135


CVE

CVE-2022-26415


TITLE

F5 BIG-IP  Command injection vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2022-010270

DESCRIPTION

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. A command injection vulnerability exists in the F5 BIG-IP that could be exploited by an authenticated attacker to bypass device mode restrictions

Trust: 1.8

sources: NVD: CVE-2022-26415 // JVNDB: JVNDB-2022-010270 // VULHUB: VHN-419845 // VULMON: CVE-2022-26415

AFFECTED PRODUCTS

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip link controllerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip local traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-010270 // NVD: CVE-2022-26415

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-26415
value: CRITICAL

Trust: 1.0

f5sirt@f5.com: CVE-2022-26415
value: HIGH

Trust: 1.0

NVD: CVE-2022-26415
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202205-2054
value: CRITICAL

Trust: 0.6

VULHUB: VHN-419845
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-26415
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-26415
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-419845
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-26415
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.3
impactScore: 6.0
version: 3.1

Trust: 1.0

f5sirt@f5.com: CVE-2022-26415
baseSeverity: HIGH
baseScore: 7.7
vectorString: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 5.8
version: 3.1

Trust: 1.0

NVD: CVE-2022-26415
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-419845 // VULMON: CVE-2022-26415 // JVNDB: JVNDB-2022-010270 // CNNVD: CNNVD-202205-2054 // NVD: CVE-2022-26415 // NVD: CVE-2022-26415

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.1

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

sources: VULHUB: VHN-419845 // JVNDB: JVNDB-2022-010270 // NVD: CVE-2022-26415

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2054

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202205-2054

PATCH

title:K81952114url:https://my.f5.com/manage/s/article/K81952114

Trust: 0.8

title:F5 BIG-IP Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=192824

Trust: 0.6

sources: JVNDB: JVNDB-2022-010270 // CNNVD: CNNVD-202205-2054

EXTERNAL IDS

db:NVDid:CVE-2022-26415

Trust: 3.4

db:JVNDBid:JVNDB-2022-010270

Trust: 0.8

db:AUSCERTid:ESB-2022.2136

Trust: 0.6

db:CNNVDid:CNNVD-202205-2054

Trust: 0.6

db:CNVDid:CNVD-2022-77531

Trust: 0.1

db:VULHUBid:VHN-419845

Trust: 0.1

db:VULMONid:CVE-2022-26415

Trust: 0.1

sources: VULHUB: VHN-419845 // VULMON: CVE-2022-26415 // JVNDB: JVNDB-2022-010270 // CNNVD: CNNVD-202205-2054 // NVD: CVE-2022-26415

REFERENCES

url:https://support.f5.com/csp/article/k81952114

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-26415

Trust: 0.8

url:https://vigilance.fr/vulnerability/f5-big-ip-privilege-escalation-via-icontrol-rest-endpoint-38231

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-26415/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2136

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/77.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-419845 // VULMON: CVE-2022-26415 // JVNDB: JVNDB-2022-010270 // CNNVD: CNNVD-202205-2054 // NVD: CVE-2022-26415

SOURCES

db:VULHUBid:VHN-419845
db:VULMONid:CVE-2022-26415
db:JVNDBid:JVNDB-2022-010270
db:CNNVDid:CNNVD-202205-2054
db:NVDid:CVE-2022-26415

LAST UPDATE DATE

2024-08-14T15:16:46.505000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-419845date:2023-01-24T00:00:00
db:VULMONid:CVE-2022-26415date:2022-05-13T00:00:00
db:JVNDBid:JVNDB-2022-010270date:2023-08-14T07:00:00
db:CNNVDid:CNNVD-202205-2054date:2022-05-16T00:00:00
db:NVDid:CVE-2022-26415date:2023-01-24T15:37:57.270

SOURCES RELEASE DATE

db:VULHUBid:VHN-419845date:2022-05-05T00:00:00
db:VULMONid:CVE-2022-26415date:2022-05-05T00:00:00
db:JVNDBid:JVNDB-2022-010270date:2023-08-14T00:00:00
db:CNNVDid:CNNVD-202205-2054date:2022-05-04T00:00:00
db:NVDid:CVE-2022-26415date:2022-05-05T17:15:12.107