ID

VAR-202205-0359


CVE

CVE-2022-27806


TITLE

plural  F5 Networks  Command injection vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2022-010247

DESCRIPTION

On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. plural F5 Networks The product contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.8

sources: NVD: CVE-2022-27806 // JVNDB: JVNDB-2022-010247 // VULHUB: VHN-419886 // VULMON: CVE-2022-27806

AFFECTED PRODUCTS

vendor:f5model:big-ip application security managerscope:eqversion:15.1.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.1

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:14.1.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:16.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:14.1.3

Trust: 1.0

vendor:f5model:big-ip guided configurationscope:ltversion:9.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.4

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:14.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.1.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:16.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:16.1.1

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:14.1.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:15.1.1

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:15.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.2

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:13.1.3

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:14.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:16.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:14.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:15.1.5

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:16.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip application security managerscope:eqversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:eqversion:15.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:eqversion:16.1.2

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip guided configurationscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2022-010247 // NVD: CVE-2022-27806

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-27806
value: HIGH

Trust: 1.0

f5sirt@f5.com: CVE-2022-27806
value: HIGH

Trust: 1.0

NVD: CVE-2022-27806
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202205-2076
value: HIGH

Trust: 0.6

VULHUB: VHN-419886
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-27806
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-419886
severity: MEDIUM
baseScore: 6.0
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.8
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-27806
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

f5sirt@f5.com: CVE-2022-27806
baseSeverity: HIGH
baseScore: 8.7
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 5.8
version: 3.1

Trust: 1.0

NVD: CVE-2022-27806
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-419886 // JVNDB: JVNDB-2022-010247 // CNNVD: CNNVD-202205-2076 // NVD: CVE-2022-27806 // NVD: CVE-2022-27806

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.1

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

sources: VULHUB: VHN-419886 // JVNDB: JVNDB-2022-010247 // NVD: CVE-2022-27806

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2076

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202205-2076

PATCH

title:K68647001url:https://my.f5.com/manage/s/article/K68647001

Trust: 0.8

title:F5 BIG-IP Repair measures for command injection vulnerabilities in multiple productsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191828

Trust: 0.6

sources: JVNDB: JVNDB-2022-010247 // CNNVD: CNNVD-202205-2076

EXTERNAL IDS

db:NVDid:CVE-2022-27806

Trust: 3.4

db:JVNDBid:JVNDB-2022-010247

Trust: 0.8

db:CNNVDid:CNNVD-202205-2076

Trust: 0.6

db:VULHUBid:VHN-419886

Trust: 0.1

db:VULMONid:CVE-2022-27806

Trust: 0.1

sources: VULHUB: VHN-419886 // VULMON: CVE-2022-27806 // JVNDB: JVNDB-2022-010247 // CNNVD: CNNVD-202205-2076 // NVD: CVE-2022-27806

REFERENCES

url:https://support.f5.com/csp/article/k68647001

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-27806

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2022-27806/

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38241

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/77.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-419886 // VULMON: CVE-2022-27806 // JVNDB: JVNDB-2022-010247 // CNNVD: CNNVD-202205-2076 // NVD: CVE-2022-27806

SOURCES

db:VULHUBid:VHN-419886
db:VULMONid:CVE-2022-27806
db:JVNDBid:JVNDB-2022-010247
db:CNNVDid:CNNVD-202205-2076
db:NVDid:CVE-2022-27806

LAST UPDATE DATE

2024-08-14T15:11:28.239000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-419886date:2022-05-13T00:00:00
db:VULMONid:CVE-2022-27806date:2022-05-05T00:00:00
db:JVNDBid:JVNDB-2022-010247date:2023-08-14T05:46:00
db:CNNVDid:CNNVD-202205-2076date:2022-05-16T00:00:00
db:NVDid:CVE-2022-27806date:2022-05-13T16:48:52.953

SOURCES RELEASE DATE

db:VULHUBid:VHN-419886date:2022-05-05T00:00:00
db:VULMONid:CVE-2022-27806date:2022-05-05T00:00:00
db:JVNDBid:JVNDB-2022-010247date:2023-08-14T00:00:00
db:CNNVDid:CNNVD-202205-2076date:2022-05-04T00:00:00
db:NVDid:CVE-2022-27806date:2022-05-05T17:15:13.620