CVE-2021-23031 - Vulnerability Details

Vendors	Products
F5	Big-ip Advanced Web Application Firewall Big-ip Application Security Manager

Link	Providers
https://support.f5.com/csp/article/K41351250

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "BIG-IP Advanced WAF and BIG-IP ASM", "vendor": "n/a", "versions": [{"status": "affected", "version": "16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3"}]}], "descriptions": [{"lang": "en", "value": "On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-14T18:07:06", "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.f5.com/csp/article/K41351250"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "f5sirt@f5.com", "ID": "CVE-2021-23031", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BIG-IP Advanced WAF and BIG-IP ASM", "version": {"version_data": [{"version_value": "16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78"}]}]}, "references": {"reference_data": [{"name": "https://support.f5.com/csp/article/K41351250", "refsource": "MISC", "url": "https://support.f5.com/csp/article/K41351250"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:58:26.288Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.f5.com/csp/article/K41351250"}]}]}, "cveMetadata": {"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "cveId": "CVE-2021-23031", "datePublished": "2021-09-14T18:07:06", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-08-03T18:58:26.288Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : BIG-IP Advanced WAF and BIG-IP ASM (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-78 (string)

description : CWE-78 (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-09-14T18:07:06 (string)

orgId : 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab (string)

shortName : f5 (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://support.f5.com/csp/article/K41351250 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : f5sirt@f5.com (string)

ID : CVE-2021-23031 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : BIG-IP Advanced WAF and BIG-IP ASM (string)

version : { »

version_data : [ »

0 : { »

version_value : 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3 (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : CWE-78 (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://support.f5.com/csp/article/K41351250 (string)

refsource : MISC (string)

url : https://support.f5.com/csp/article/K41351250 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-03T18:58:26.288Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://support.f5.com/csp/article/K41351250 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 9dacffd4-cb11-413f-8451-fbbfd4ddc0ab (string)

assignerShortName : f5 (string)

cveId : CVE-2021-23031 (string)

datePublished : 2021-09-14T18:07:06 (string)

dateReserved : 2021-01-06T00:00:00 (string)

dateUpdated : 2024-08-03T18:58:26.288Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6AF221D-F7EC-40C9-BC9C-4F7C054C1600", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "322AA283-E494-45E0-975E-2725E2FCC2DE", "versionEndIncluding": "12.1.5", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "0802E0C1-9F02-4AFF-87B3-12BFE56C6D23", "versionEndIncluding": "13.1.3", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2A1BB14-BEB5-43DD-878D-83E51FBFD4E0", "versionEndIncluding": "14.1.4", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7EE1E34-5DAE-4162-93E7-F043E5DF67C8", "versionEndIncluding": "15.1.2", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D3877DD-4285-4EA1-9E76-A7EF48B0B1B5", "versionEndIncluding": "16.0.1.1", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9A86305-2292-40FB-A984-9B15F7A079F0", "versionEndIncluding": "11.6.5.2", "versionStartIncluding": "11.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "2E5552A3-91CD-4B97-AD33-4F1FB4C8827A", "versionEndIncluding": "12.1.5", "versionStartIncluding": "12.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A53C692-D353-42E3-9148-F850DA11884F", "versionEndIncluding": "13.1.3", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "15EB0439-9C16-45C2-895D-44D6ED1A028A", "versionEndIncluding": "14.1.4", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E60DDD42-73D2-44BE-B101-03E313E5C35C", "versionEndIncluding": "15.1.2", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C19CC5B0-63A3-454E-B0F4-9F4A6D176567", "versionEndIncluding": "16.0.1.1", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "En versiones 16.0.x anteriores a 16.0.1.2, versiones 15.1.x anteriores a 15.1.3, versiones 14.1.x anteriores a 14.1.4.1, versiones 13.1.x anteriores a 13.1.4, versiones 12.1.x anteriores a 12.1.6 y 11.6.x anteriores a 11.6.5.3, un usuario autenticado puede llevar a cabo una escalada de privilegios en la utilidad de Configuraci\u00f3n de BIG-IP Advanced WAF y ASM. Nota: Las versiones de software que han alcanzado End of Technical Support (EoTS) no son evaluadas"}], "id": "CVE-2021-23031", "lastModified": "2024-11-21T05:51:11.130", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-14T19:15:07.273", "references": [{"source": "f5sirt@f5.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.f5.com/csp/article/K41351250"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://support.f5.com/csp/article/K41351250"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "f5sirt@f5.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : D6AF221D-F7EC-40C9-BC9C-4F7C054C1600 (string)

versionEndIncluding : 11.6.5.2 (string)

versionStartIncluding : 11.6.1 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 322AA283-E494-45E0-975E-2725E2FCC2DE (string)

versionEndIncluding : 12.1.5 (string)

versionStartIncluding : 12.1.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 0802E0C1-9F02-4AFF-87B3-12BFE56C6D23 (string)

versionEndIncluding : 13.1.3 (string)

versionStartIncluding : 13.1.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : D2A1BB14-BEB5-43DD-878D-83E51FBFD4E0 (string)

versionEndIncluding : 14.1.4 (string)

versionStartIncluding : 14.1.0 (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : F7EE1E34-5DAE-4162-93E7-F043E5DF67C8 (string)

versionEndIncluding : 15.1.2 (string)

versionStartIncluding : 15.1.0 (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 2D3877DD-4285-4EA1-9E76-A7EF48B0B1B5 (string)

versionEndIncluding : 16.0.1.1 (string)

versionStartIncluding : 16.0.0 (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : C9A86305-2292-40FB-A984-9B15F7A079F0 (string)

versionEndIncluding : 11.6.5.2 (string)

versionStartIncluding : 11.6.1 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 2E5552A3-91CD-4B97-AD33-4F1FB4C8827A (string)

versionEndIncluding : 12.1.5 (string)

versionStartIncluding : 12.1.0 (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 8A53C692-D353-42E3-9148-F850DA11884F (string)

versionEndIncluding : 13.1.3 (string)

versionStartIncluding : 13.1.0 (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 15EB0439-9C16-45C2-895D-44D6ED1A028A (string)

versionEndIncluding : 14.1.4 (string)

versionStartIncluding : 14.1.0 (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : E60DDD42-73D2-44BE-B101-03E313E5C35C (string)

versionEndIncluding : 15.1.2 (string)

versionStartIncluding : 15.1.0 (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (string)

matchCriteriaId : C19CC5B0-63A3-454E-B0F4-9F4A6D176567 (string)

versionEndIncluding : 16.0.1.1 (string)

versionStartIncluding : 16.0.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (string)

}

1 : { »

lang : es (string)

value : En versiones 16.0.x anteriores a 16.0.1.2, versiones 15.1.x anteriores a 15.1.3, versiones 14.1.x anteriores a 14.1.4.1, versiones 13.1.x anteriores a 13.1.4, versiones 12.1.x anteriores a 12.1.6 y 11.6.x anteriores a 11.6.5.3, un usuario autenticado puede llevar a cabo una escalada de privilegios en la utilidad de Configuración de BIG-IP Advanced WAF y ASM. Nota: Las versiones de software que han alcanzado End of Technical Support (EoTS) no son evaluadas (string)

}

]

id : CVE-2021-23031 (string)

lastModified : 2024-11-21T05:51:11.130 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 9.9 (number)

baseSeverity : CRITICAL (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : LOW (string)

scope : CHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 3.1 (number)

impactScore : 6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-09-14T19:15:07.273 (string)

references : [ »

0 : { »

source : f5sirt@f5.com (string)

tags : [ »

0 : Mitigation (string)

1 : Vendor Advisory (string)

]

url : https://support.f5.com/csp/article/K41351250 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Mitigation (string)

1 : Vendor Advisory (string)

]

url : https://support.f5.com/csp/article/K41351250 (string)

}

]

sourceIdentifier : f5sirt@f5.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-78 (string)

}

]

source : f5sirt@f5.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-78 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object