Details of VAR-202302-0009

ID

VAR-202302-0009

CVE

CVE-2023-22326

TITLE

BIG-IP and BIG-IQ Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2023-003201

DESCRIPTION

In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP and BIG-IQ Contains a vulnerability in improper permission assignment for critical resources.Information may be obtained

Trust: 1.8

sources: NVD: CVE-2023-22326 // JVNDB: JVNDB-2023-003201 // VULHUB: VHN-451919 // VULMON: CVE-2023-22326

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-003201 // NVD: CVE-2023-22326

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-22326
value:	MEDIUM
Trust: 1.0
f5sirt@f5.com:	CVE-2023-22326
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2023-003201
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202302-096
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-22326
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2023-003201
baseSeverity:	MEDIUM
baseScore:	4.9
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-003201 // CNNVD: CNNVD-202302-096 // NVD: CVE-2023-22326 // NVD: CVE-2023-22326

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.1
problemtype:	Improper permission assignment for critical resources (CWE-732) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-451919 // JVNDB: JVNDB-2023-003201 // NVD: CVE-2023-22326

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-096

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202302-096

PATCH

title:	K83284425	url:	https://my.f5.com/manage/s/article/K83284425	Trust: 0.8
title:	F5 BIG-IP Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=224514	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2023-22326	Trust: 0.1

sources: VULMON: CVE-2023-22326 // JVNDB: JVNDB-2023-003201 // CNNVD: CNNVD-202302-096

EXTERNAL IDS

db:	NVD	id:	CVE-2023-22326	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-003201	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-096	Trust: 0.6
db:	VULHUB	id:	VHN-451919	Trust: 0.1
db:	VULMON	id:	CVE-2023-22326	Trust: 0.1

sources: VULHUB: VHN-451919 // VULMON: CVE-2023-22326 // JVNDB: JVNDB-2023-003201 // CNNVD: CNNVD-202302-096 // NVD: CVE-2023-22326

REFERENCES

url:	https://my.f5.com/manage/s/article/k83284425	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-22326	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-22326/	Trust: 0.6
url:	https://github.com/live-hack-cve/cve-2023-22326	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-451919 // VULMON: CVE-2023-22326 // JVNDB: JVNDB-2023-003201 // CNNVD: CNNVD-202302-096 // NVD: CVE-2023-22326

SOURCES

db:	VULHUB	id:	VHN-451919
db:	VULMON	id:	CVE-2023-22326
db:	JVNDB	id:	JVNDB-2023-003201
db:	CNNVD	id:	CNNVD-202302-096
db:	NVD	id:	CVE-2023-22326

LAST UPDATE DATE

2024-08-14T13:42:06.432000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-451919	date:	2023-02-09T00:00:00
db:	VULMON	id:	CVE-2023-22326	date:	2023-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-003201	date:	2023-09-04T05:18:00
db:	CNNVD	id:	CNNVD-202302-096	date:	2023-02-10T00:00:00
db:	NVD	id:	CVE-2023-22326	date:	2023-11-07T04:06:50.377

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-451919	date:	2023-02-01T00:00:00
db:	VULMON	id:	CVE-2023-22326	date:	2023-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-003201	date:	2023-09-04T00:00:00
db:	CNNVD	id:	CNNVD-202302-096	date:	2023-02-01T00:00:00
db:	NVD	id:	CVE-2023-22326	date:	2023-02-01T18:15:10.977