Details of VAR-202205-0360

ID

VAR-202205-0360

CVE

CVE-2022-28714

TITLE

F5 BIG-IP APM and F5 BIG-IP APM Clients Vulnerability regarding uncontrolled search path elements in

Trust: 0.8

sources: JVNDB: JVNDB-2022-010293

DESCRIPTION

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, a DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP APM and F5 BIG-IP APM Clients Exists in a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. F5 BIG-IP APM Edge Client for Windows is a client access control authentication access client application of F5 company. F5 BIG-IP has a code issue vulnerability that can be exploited by an attacker to use a malicious dynamic link library (DLL) to gain privilege escalation on a client Windows system

Trust: 1.8

sources: NVD: CVE-2022-28714 // JVNDB: JVNDB-2022-010293 // VULHUB: VHN-420249 // VULMON: CVE-2022-28714

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.2.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.8.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.9	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager client	scope:	eq	version:	7.1.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager client	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-010293 // NVD: CVE-2022-28714

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-28714
value:	HIGH
Trust: 1.0
f5sirt@f5.com:	CVE-2022-28714
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-28714
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202205-2072
value:	HIGH
Trust: 0.6
VULHUB:	VHN-420249
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-28714
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-28714
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-420249
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-28714
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
f5sirt@f5.com:	CVE-2022-28714
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.3
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-28714
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-420249 // VULMON: CVE-2022-28714 // JVNDB: JVNDB-2022-010293 // CNNVD: CNNVD-202205-2072 // NVD: CVE-2022-28714 // NVD: CVE-2022-28714

PROBLEMTYPE DATA

problemtype:	CWE-427	Trust: 1.1
problemtype:	Uncontrolled search path elements (CWE-427) [ others ]	Trust: 0.8

sources: VULHUB: VHN-420249 // JVNDB: JVNDB-2022-010293 // NVD: CVE-2022-28714

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202205-2072

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202205-2072

PATCH

title:	K54460845	url:	https://support.f5.com/csp/article/K54460845	Trust: 0.8
title:	F5 BIG-IP Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191824	Trust: 0.6

sources: JVNDB: JVNDB-2022-010293 // CNNVD: CNNVD-202205-2072

EXTERNAL IDS

db:	NVD	id:	CVE-2022-28714	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-010293	Trust: 0.8
db:	CNNVD	id:	CNNVD-202205-2072	Trust: 0.6
db:	CNVD	id:	CNVD-2022-77521	Trust: 0.1
db:	VULHUB	id:	VHN-420249	Trust: 0.1
db:	VULMON	id:	CVE-2022-28714	Trust: 0.1

sources: VULHUB: VHN-420249 // VULMON: CVE-2022-28714 // JVNDB: JVNDB-2022-010293 // CNNVD: CNNVD-202205-2072 // NVD: CVE-2022-28714

REFERENCES

url:	https://support.f5.com/csp/article/k54460845	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28714	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2022-28714/	Trust: 0.6
url:	https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38241	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/427.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-420249 // VULMON: CVE-2022-28714 // JVNDB: JVNDB-2022-010293 // CNNVD: CNNVD-202205-2072 // NVD: CVE-2022-28714

SOURCES

db:	VULHUB	id:	VHN-420249
db:	VULMON	id:	CVE-2022-28714
db:	JVNDB	id:	JVNDB-2022-010293
db:	CNNVD	id:	CNNVD-202205-2072
db:	NVD	id:	CVE-2022-28714

LAST UPDATE DATE

2024-11-23T22:24:50.953000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-420249	date:	2022-05-12T00:00:00
db:	VULMON	id:	CVE-2022-28714	date:	2022-05-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-010293	date:	2023-08-14T07:58:00
db:	CNNVD	id:	CNNVD-202205-2072	date:	2022-05-13T00:00:00
db:	NVD	id:	CVE-2022-28714	date:	2024-11-21T06:57:47.470

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-420249	date:	2022-05-05T00:00:00
db:	VULMON	id:	CVE-2022-28714	date:	2022-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2022-010293	date:	2023-08-14T00:00:00
db:	CNNVD	id:	CNNVD-202205-2072	date:	2022-05-04T00:00:00
db:	NVD	id:	CVE-2022-28714	date:	2022-05-05T17:15:14.717