Vulnerability Name: CVE-2017-0301 (CCN-136591) Assigned: 2016-11-09 Published: 2017-12-19 Updated: 2019-10-03 Summary: In F5 BIG-IP APM software versions 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, 11.6.1, 12.0.0, 12.1.0, 12.1.1 and 12.1.2 BIG-IP APM portal access requests do not return the intended resources in some cases. This may allow access to internal BIG-IP APM resources, however the application resources and backend servers are unaffected. CVSS v3 Severity: 7.6 High (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 6.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): AdjacentAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.6 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 6.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): AdjacentAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 4.0 Medium (CVSS v2 Vector: AV:A/AC:H/Au:S/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): Adjacent_NetworkAccess Complexity (AC): HighAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
6.5 Medium (CCN CVSS v2 Vector: AV:A/AC:H/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): Adjacent_NetworkAccess Complexity (AC): HighAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-noinfo Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2017-0301 1040040 f5-bigip-cve20170301-sec-bypass(136591) BIG-IP APM Portal Access vulnerability CVE-2017-0301 https://support.f5.com/csp/article/K54358225 Vulnerable Configuration: Configuration 1 :cpe:/a:f5:big-ip_access_policy_manager:11.5.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.5.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.5.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.5.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.5.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.6.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:11.6.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.0.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.1.2:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:f5:big-ip_access_policy_manager:11.4.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:12.0.0:*:*:*:*:*:*:* BACK
f5 big-ip access policy manager 11.5.0
f5 big-ip access policy manager 11.5.1
f5 big-ip access policy manager 11.5.2
f5 big-ip access policy manager 11.5.3
f5 big-ip access policy manager 11.5.4
f5 big-ip access policy manager 11.6.0
f5 big-ip access policy manager 11.6.1
f5 big-ip access policy manager 12.0.0
f5 big-ip access policy manager 12.1.0
f5 big-ip access policy manager 12.1.1
f5 big-ip access policy manager 12.1.2
f5 big-ip access policy manager 11.4.0
f5 big-ip access policy manager 12.1.2
f5 big-ip access policy manager 12.0.0
Denotes that component is vulnerable