Vulnerability CVE-2021-22979

Vulnerability Name:

CVE-2021-22979 (CCN-196712)

Assigned:

2021-02-10

Published:

2021-02-10

Updated:

2021-02-19

Summary:

On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user.
Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

CVSS v3 Severity:

6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2021-22979

Source: XF
Type: UNKNOWN
f5-bigip-cve202122979-xss(196712)

Source: CCN
Type: F5 Security Advisory K63497634
BIG-IP FPS XSS vulnerability CVE-2021-22979

Source: MISC
Type: Vendor Advisory
https://support.f5.com/csp/article/K63497634

Vulnerable Configuration:

Configuration 1:

cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_analytics:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 12.1.0 and <= 12.1.5)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 13.1.0 and < 13.1.3.5)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 14.1.0 and < 14.1.2.8)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 15.1.0 and < 15.1.1)

OR cpe:/a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.1)

Configuration CCN 1:

cpe:/a:f5:big-ip_access_policy_manager:12.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:14.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:13.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:12.1.5:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.6.5:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:13.1.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.6.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:15.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:16.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:*

OR cpe:/o:f5:big-ip:15.0.0:*:*:*:*:*:*:*

OR cpe:/o:f5:big-ip:15.1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK