Details of VAR-202302-0010

ID

VAR-202302-0010

CVE

CVE-2023-22418

TITLE

BIG-IP APM Open redirect vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-003164

DESCRIPTION

On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious attacker to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Trust: 1.8

sources: NVD: CVE-2023-22418 // JVNDB: JVNDB-2023-003164 // VULHUB: VHN-451924 // VULMON: CVE-2023-22418

AFFECTED PRODUCTS

vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	15.1.8.1	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip fraud protection service	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lt	version:	15.1.7	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip local traffic manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	15.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip domain name system	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip analytics	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	17.0.0	Trust: 1.0
vendor:	f5	model:	big-ip advanced firewall manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip access policy manager	scope:	gte	version:	14.1.0	Trust: 1.0
vendor:	f5	model:	big-ip policy enforcement manager	scope:	lt	version:	14.1.5.3	Trust: 1.0
vendor:	f5	model:	big-ip application security manager	scope:	gte	version:	16.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	lt	version:	17.0.0.2	Trust: 1.0
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	lte	version:	13.1.5	Trust: 1.0
vendor:	f5	model:	big-ip link controller	scope:	lt	version:	16.1.3.3	Trust: 1.0
vendor:	f5	model:	big-ip ssl orchestrator	scope:	gte	version:	13.1.0	Trust: 1.0
vendor:	f5	model:	big-ip application acceleration manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip access policy manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip domain name system	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip ddos hybrid defender	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip analytics	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip link controller	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip fraud protection service	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip local traffic manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip application security manager	scope:	-	version:	-	Trust: 0.8
vendor:	f5	model:	big-ip advanced firewall manager	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-003164 // NVD: CVE-2023-22418

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-22418
value:	MEDIUM
Trust: 1.0
f5sirt@f5.com:	CVE-2023-22418
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2023-003164
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202302-091
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2023-22418
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2023-003164
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-003164 // CNNVD: CNNVD-202302-091 // NVD: CVE-2023-22418 // NVD: CVE-2023-22418

PROBLEMTYPE DATA

problemtype:	CWE-601	Trust: 1.1
problemtype:	Open redirect (CWE-601) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-451924 // JVNDB: JVNDB-2023-003164 // NVD: CVE-2023-22418

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-091

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202302-091

PATCH

title:	K95503300	url:	https://my.f5.com/manage/s/article/K95503300	Trust: 0.8
title:	F5 BIG-IP Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=224509	Trust: 0.6
title:	-	url:	https://github.com/Live-Hack-CVE/CVE-2023-22418	Trust: 0.1

sources: VULMON: CVE-2023-22418 // JVNDB: JVNDB-2023-003164 // CNNVD: CNNVD-202302-091

EXTERNAL IDS

db:	NVD	id:	CVE-2023-22418	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-003164	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-091	Trust: 0.6
db:	VULHUB	id:	VHN-451924	Trust: 0.1
db:	VULMON	id:	CVE-2023-22418	Trust: 0.1

sources: VULHUB: VHN-451924 // VULMON: CVE-2023-22418 // JVNDB: JVNDB-2023-003164 // CNNVD: CNNVD-202302-091 // NVD: CVE-2023-22418

REFERENCES

url:	https://my.f5.com/manage/s/article/k95503300	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-22418	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-22418/	Trust: 0.6
url:	https://github.com/live-hack-cve/cve-2023-22418	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-451924 // VULMON: CVE-2023-22418 // JVNDB: JVNDB-2023-003164 // CNNVD: CNNVD-202302-091 // NVD: CVE-2023-22418

SOURCES

db:	VULHUB	id:	VHN-451924
db:	VULMON	id:	CVE-2023-22418
db:	JVNDB	id:	JVNDB-2023-003164
db:	CNNVD	id:	CNNVD-202302-091
db:	NVD	id:	CVE-2023-22418

LAST UPDATE DATE

2024-08-14T15:26:53.132000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-451924	date:	2023-02-09T00:00:00
db:	VULMON	id:	CVE-2023-22418	date:	2023-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-003164	date:	2023-09-01T07:46:00
db:	CNNVD	id:	CNNVD-202302-091	date:	2023-02-10T00:00:00
db:	NVD	id:	CVE-2023-22418	date:	2023-11-07T04:06:53.187

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-451924	date:	2023-02-01T00:00:00
db:	VULMON	id:	CVE-2023-22418	date:	2023-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2023-003164	date:	2023-09-01T00:00:00
db:	CNNVD	id:	CNNVD-202302-091	date:	2023-02-01T00:00:00
db:	NVD	id:	CVE-2023-22418	date:	2023-02-01T18:15:11.450