CVE-2023-22341

01.02.2023, 18:15

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate:

  *  An OAuth Server that references an OAuth Provider
  *  An OAuth profile with the Authorization Endpoint set to '/'
  *  An access profile that references the above OAuth profile and is associated with an HTTPS virtual server 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
f5	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Vendor	Product	Version
f5	big-ip_access_policy_manager	13.1.0 ≤ 𝑥 ≤ 13.1.5
f5	big-ip_access_policy_manager	14.1.0 ≤ 𝑥 < 14.1.5.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://my.f5.com/manage/s/article/K20717585