Details of VAR-202205-0407

ID

VAR-202205-0407

CVE

CVE-2022-29263

TITLE

F5 BIG-IP APM and F5 BIG-IP APM Clients Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2022-010291

DESCRIPTION

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, the BIG-IP Edge Client Component Installer Service does not use best practice while saving temporary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP APM and F5 BIG-IP APM Clients Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. F5 BIG-IP APM Edge Client for Windows is a client access control authentication access client application of F5 company. F5 BIG-IP APM Edge Client for Windows has a security vulnerability that can be exploited by an attacker to gain privilege escalation on the client Windows system

Trust: 1.8

sources: NVD: CVE-2022-29263 // JVNDB: JVNDB-2022-010291 // VULHUB: VHN-420797 // VULMON: CVE-2022-29263

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.6	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.4	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.3	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.1.8	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.1.9	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.1	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.1.9.8	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	11.6.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.1.9.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.0	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.2.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	16.1.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	12.1.4	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.2.1	Trust: 1.0
vendor:	f5	model:	access policy manager clients	scope:	eq	version:	7.1.8.5	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	14.1.3	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	eq	version:	15.1.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager client	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2022-010291 // NVD: CVE-2022-29263

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-29263
value:	HIGH
Trust: 1.0
f5sirt@f5.com:	CVE-2022-29263
value:	HIGH
Trust: 1.0
NVD:	CVE-2022-29263
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202205-2046
value:	HIGH
Trust: 0.6
VULHUB:	VHN-420797
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-29263
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-29263
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-420797
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-29263
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2022-010291
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-420797 // VULMON: CVE-2022-29263 // JVNDB: JVNDB-2022-010291 // CNNVD: CNNVD-202205-2046 // NVD: CVE-2022-29263 // NVD: CVE-2022-29263

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.1
problemtype:	Improper permission assignment for critical resources (CWE-732) [ others ]	Trust: 0.8

sources: VULHUB: VHN-420797 // JVNDB: JVNDB-2022-010291 // NVD: CVE-2022-29263

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202205-2046

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-2046

PATCH

title:	K33552735	url:	https://support.f5.com/csp/article/K33552735	Trust: 0.8
title:	F5 BIG-IP APM Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=191361	Trust: 0.6

sources: JVNDB: JVNDB-2022-010291 // CNNVD: CNNVD-202205-2046

EXTERNAL IDS

db:	NVD	id:	CVE-2022-29263	Trust: 3.4
db:	JVNDB	id:	JVNDB-2022-010291	Trust: 0.8
db:	CNNVD	id:	CNNVD-202205-2046	Trust: 0.6
db:	CNVD	id:	CNVD-2022-77532	Trust: 0.1
db:	VULHUB	id:	VHN-420797	Trust: 0.1
db:	VULMON	id:	CVE-2022-29263	Trust: 0.1

sources: VULHUB: VHN-420797 // VULMON: CVE-2022-29263 // JVNDB: JVNDB-2022-010291 // CNNVD: CNNVD-202205-2046 // NVD: CVE-2022-29263

REFERENCES

url:	https://support.f5.com/csp/article/k33552735	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2022-29263	Trust: 0.8
url:	https://vigilance.fr/vulnerability/f5-big-ip-apm-privilege-escalation-via-edge-client-component-installer-service-38218	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2022-29263/	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/732.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-420797 // VULMON: CVE-2022-29263 // JVNDB: JVNDB-2022-010291 // CNNVD: CNNVD-202205-2046 // NVD: CVE-2022-29263

SOURCES

db:	VULHUB	id:	VHN-420797
db:	VULMON	id:	CVE-2022-29263
db:	JVNDB	id:	JVNDB-2022-010291
db:	CNNVD	id:	CNNVD-202205-2046
db:	NVD	id:	CVE-2022-29263

LAST UPDATE DATE

2024-11-23T22:54:35.620000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-420797	date:	2022-05-12T00:00:00
db:	VULMON	id:	CVE-2022-29263	date:	2022-05-12T00:00:00
db:	JVNDB	id:	JVNDB-2022-010291	date:	2023-08-14T07:56:00
db:	CNNVD	id:	CNNVD-202205-2046	date:	2022-05-13T00:00:00
db:	NVD	id:	CVE-2022-29263	date:	2024-11-21T06:58:49.760

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-420797	date:	2022-05-05T00:00:00
db:	VULMON	id:	CVE-2022-29263	date:	2022-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2022-010291	date:	2023-08-14T00:00:00
db:	CNNVD	id:	CNNVD-202205-2046	date:	2022-05-04T00:00:00
db:	NVD	id:	CVE-2022-29263	date:	2022-05-05T17:15:14.910