Vulnerability Name: CVE-2022-25946 (CCN-225727) Assigned: 2022-05-04 Published: 2022-05-04 Updated: 2022-05-16 Summary: On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker with Administrator role privilege may be able to bypass Appliance mode restrictions due to a missing integrity check in F5 BIG-IP Guided Configuration.Note CVSS v3 Severity: 6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): None
8.7 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 7.6 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): HighUser Interaction (UI): NoneScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): None
CVSS v2 Severity: 4.9 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
8.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): None
Vulnerability Type: CWE-354 Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2022-25946 f5-cve202225946-sec-bypass(225727) Authenticated F5 BIG-IP Guided Configuration integrity check in Appliance mode vulnerability CVE-2022-25946 https://support.f5.com/csp/article/K52322100 Vulnerable Configuration: Configuration 1 :cpe:/a:f5:big-ip_access_policy_manager:13.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:13.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:14.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:14.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:14.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:14.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:13.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:13.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:13.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:13.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:14.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:14.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:16.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:16.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:16.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:16.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:16.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:16.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:13.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:13.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:13.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:13.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:14.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:14.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_application_security_manager:15.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:13.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:14.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.3:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:15.1.5:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.1:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_advanced_web_application_firewall:16.1.2:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_guided_configuration:*:*:*:*:*:*:*:* (Version <= 9.0) Configuration CCN 1 :cpe:/a:f5:big-ip_access_policy_manager:14.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:15.1.0:*:*:*:*:*:*:* OR cpe:/o:f5:big-ip:15.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip:14.1.0:*:*:*:*:*:*:* OR cpe:/o:f5:big-ip:15.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:14.1.4:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:16.1.0:*:*:*:*:*:*:* OR cpe:/a:f5:big-ip_access_policy_manager:13.1.0.8:*:*:*:*:*:*:* BACK
f5 big-ip access policy manager 13.1.0
f5 big-ip application security manager 13.1.0
f5 big-ip access policy manager 14.1.0
f5 big-ip application security manager 14.1.0
f5 big-ip application security manager 15.1.0
f5 big-ip access policy manager 15.1.0
f5 big-ip advanced web application firewall 15.1.0
f5 big-ip access policy manager 14.1.4
f5 big-ip advanced web application firewall 14.1.4
f5 big-ip application security manager 14.1.4
f5 big-ip access policy manager 13.1.1
f5 big-ip access policy manager 13.1.3
f5 big-ip access policy manager 13.1.4
f5 big-ip access policy manager 13.1.5
f5 big-ip access policy manager 14.1.2
f5 big-ip access policy manager 14.1.3
f5 big-ip access policy manager 15.1.1
f5 big-ip access policy manager 15.1.2
f5 big-ip access policy manager 15.1.3
f5 big-ip access policy manager 15.1.4
f5 big-ip access policy manager 15.1.5
f5 big-ip access policy manager 16.1.0
f5 big-ip access policy manager 16.1.1
f5 big-ip access policy manager 16.1.2
f5 big-ip application security manager 15.1.4
f5 big-ip application security manager 15.1.5
f5 big-ip application security manager 16.1.0
f5 big-ip application security manager 16.1.1
f5 big-ip application security manager 16.1.2
f5 big-ip advanced web application firewall 16.1.0
f5 big-ip application security manager 13.1.1
f5 big-ip application security manager 13.1.3
f5 big-ip application security manager 13.1.4
f5 big-ip application security manager 13.1.5
f5 big-ip application security manager 14.1.2
f5 big-ip application security manager 14.1.3
f5 big-ip application security manager 15.1.1
f5 big-ip application security manager 15.1.2
f5 big-ip application security manager 15.1.3
f5 big-ip advanced web application firewall 13.1.0
f5 big-ip advanced web application firewall 13.1.1
f5 big-ip advanced web application firewall 13.1.3
f5 big-ip advanced web application firewall 13.1.4
f5 big-ip advanced web application firewall 13.1.5
f5 big-ip advanced web application firewall 14.1.0
f5 big-ip advanced web application firewall 14.1.2
f5 big-ip advanced web application firewall 14.1.3
f5 big-ip advanced web application firewall 15.1.1
f5 big-ip advanced web application firewall 15.1.2
f5 big-ip advanced web application firewall 15.1.3
f5 big-ip advanced web application firewall 15.1.4
f5 big-ip advanced web application firewall 15.1.5
f5 big-ip advanced web application firewall 16.1.1
f5 big-ip advanced web application firewall 16.1.2
f5 big-ip guided configuration *
f5 big-ip access policy manager 14.1.0
f5 big-ip 14.1.0
f5 big-ip access policy manager 15.1.0
f5 big-ip 15.1.0
f5 big-ip 14.1.0
f5 big-ip 15.1.0
f5 big-ip access policy manager 14.1.4
f5 big-ip access policy manager 16.1.0
f5 big-ip access policy manager 13.1.0.8
Denotes that component is vulnerable