CVE-2022-23031

25.01.2022, 20:15

On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.9 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
f5	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Vendor	Product	Version
f5	big-ip_advanced_web_application_firewall	14.1.0 ≤ 𝑥 ≤ 14.1.4
f5	big-ip_advanced_web_application_firewall	15.1.0 ≤ 𝑥 ≤ 15.1.3
f5	big-ip_advanced_web_application_firewall	16.0.0 ≤ 𝑥 ≤ 16.1.0
f5	big-ip_application_security_manager	14.1.0 ≤ 𝑥 ≤ 14.1.4
f5	big-ip_application_security_manager	15.1.0 ≤ 𝑥 ≤ 15.1.3
f5	big-ip_application_security_manager	16.0.0 ≤ 𝑥 ≤ 16.1.0
f5	big-ip_fraud_protection_service	14.1.0 ≤ 𝑥 ≤ 14.1.4
f5	big-ip_fraud_protection_service	15.1.0 ≤ 𝑥 ≤ 15.1.3
f5	big-ip_fraud_protection_service	16.0.0 ≤ 𝑥 ≤ 16.1.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-611 - Improper Restriction of XML External Entity Reference
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References

https://support.f5.com/csp/article/K61112120