CVE-2023-22283

01.02.2023, 18:15

On versions beginning in 7.1.5 to before 7.2.3.1, a DLL hijacking vulnerability exists in the BIG-IP Edge Client for Windows. User interaction and administrative privileges are required to exploit this vulnerability because the victim user needs to run the executable on the system and the attacker requires administrative privileges for modifying the files in the trusted search path.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
f5	CNA	6.5 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Vendor	Product	Version
f5	big-ip_access_policy_manager	7.2.2 ≤ 𝑥 < 7.2.3.1
f5	big-ip_access_policy_manager	13.1.0 ≤ 𝑥 ≤ 13.1.5
f5	big-ip_access_policy_manager	14.1.0 ≤ 𝑥 ≤ 14.1.5
f5	big-ip_access_policy_manager	15.1.0 ≤ 𝑥 ≤ 15.1.8
f5	big-ip_access_policy_manager	16.1.0 ≤ 𝑥 ≤ 16.1.3
f5	big-ip_access_policy_manager	17.0.0 ≤ 𝑥 < 17.0.0.2
f5	big-ip_edge	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-427 - Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References

https://my.f5.com/manage/s/article/K07143733