CVE-2021-22980

12.02.2021, 18:15

In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could allow an attacker to load a malicious DLL library from its current directory. User interaction is required to exploit this vulnerability in that the victim must run this utility on the Windows system. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
f5	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Vendor	Product	Version
f5	access_policy_manager_clients	7.1.5 ≤ 𝑥 < 7.1.8.5
f5	access_policy_manager_clients	7.1.9 ≤ 𝑥 < 7.1.9.8
f5	access_policy_manager_clients	7.2.1 ≤ 𝑥 < 7.2.1.1
f5	big-ip_access_policy_manager	11.6.1 ≤ 𝑥 ≤ 11.6.5
f5	big-ip_access_policy_manager	12.1.0 ≤ 𝑥 ≤ 12.1.5
f5	big-ip_access_policy_manager	13.1.0 ≤ 𝑥 < 13.1.3.6
f5	big-ip_access_policy_manager	14.1.0 ≤ 𝑥 ≤ 14.1.3
f5	big-ip_access_policy_manager	15.1.0 ≤ 𝑥 ≤ 15.1.2
f5	big-ip_access_policy_manager	16.0.0 ≤ 𝑥 < 16.0.1.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-426 - Untrusted Search Path
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

References

https://support.f5.com/csp/article/K29282483