CVE-2015-4637

EUVD-2015-4656
The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing an LDAP user account name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
f5big-iq_adc
4.5.0
f5big-iq_cloud
4.4.0
f5big-iq_cloud
4.5.0
f5big-iq_device
4.4.0
f5big-iq_device
4.5.0
f5big-iq_security
4.4.0
f5big-iq_security
4.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html
https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16861.html