CVE-2015-4637

The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing an LDAP user account name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
f5big-iq_adc
4.5.0
f5big-iq_cloud
4.4.0
f5big-iq_cloud
4.5.0
f5big-iq_device
4.4.0
f5big-iq_device
4.5.0
f5big-iq_security
4.4.0
f5big-iq_security
4.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html
https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html