Vulnerabilities > CVE-2021-23029 - Server-Side Request Forgery (SSRF) vulnerability in F5 products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

CWE-918

NVD

Published: 2021-09-14

Updated: 2021-09-27

Summary

On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Application Security Manager 16.0.0 F5 BIG IP Application Security Manager 16.0.1 F5 BIG IP Application Security Manager 16.0.1.1 F5 BIG IP Advanced WEB Application Firewall 16.0.0 F5 BIG IP Advanced WEB Application Firewall 16.0.1 F5 BIG IP Advanced WEB Application Firewall 16.0.1.1	6

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://support.f5.com/csp/article/K52420610