CVE-2020-5943

In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.f5.com/csp/article/K20059815	Vendor Advisory
https://support.f5.com/csp/article/K20059815	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_advanced_web_application_firewall::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_analytics::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_application_security_manager::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_ddos_hybrid_defender::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_domain_name_system::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_link_controller::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::
	cpe:2.3:a:f5:big-ip_ssl_orchestrator::::::::

History

21 Nov 2024, 05:34

Type	Values Removed	Values Added
References	~~() https://support.f5.com/csp/article/K20059815 - Vendor Advisory~~	() https://support.f5.com/csp/article/K20059815 - Vendor Advisory

Information

Published : 2020-11-05 20:15

Updated : 2024-11-21 05:34

NVD link : CVE-2020-5943

Mitre link : CVE-2020-5943

CVE.ORG link : CVE-2020-5943

JSON object : View

Products Affected

big-ip_local_traffic_manager
big-ip_fraud_protection_service
big-ip_access_policy_manager
big-ip_ddos_hybrid_defender
big-ip_global_traffic_manager
big-ip_domain_name_system
big-ip_application_acceleration_manager
big-ip_advanced_web_application_firewall
big-ip_ssl_orchestrator
big-ip_policy_enforcement_manager
big-ip_link_controller
big-ip_analytics
big-ip_application_security_manager
big-ip_advanced_firewall_manager

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

{"id": "CVE-2020-5943", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-11-05T20:15:17.753", "references": [{"url": "https://support.f5.com/csp/article/K20059815", "tags": ["Vendor Advisory"], "source": "f5sirt@f5.com"}, {"url": "https://support.f5.com/csp/article/K20059815", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}], "descriptions": [{"lang": "en", "value": "In versions 14.1.0-14.1.0.1 and 14.1.2.5-14.1.2.7, when a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password."}, {"lang": "es", "value": "En las versiones 14.1.0-14.1.0.1 y 14.1.2.5-14.1.2.7, cuando un objeto de BIG-IP es creado o listado por medio de la interfaz REST, los campos protegidos est\u00e1n ofuscados en la respuesta de REST, no se protegen por medio de un criptograma SecureVault como TMSH lo hace. Un ejemplo de campos protegidos es la contrase\u00f1a del monitor GTM"}], "lastModified": "2024-11-21T05:34:52.570", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0B9CC06-F067-4A52-A86F-5E087FD15F6E", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEE1F0CD-8F25-4E32-8F36-C5121C1980DD", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3BA7CB6-008A-4380-8CA5-6C13D4068B1D", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DE6875B-EFE6-43B3-87D0-A8CDD49F378F", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AB5854A-499A-45B4-9C5D-53EAE2CF5F07", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2ACFC6A8-92E9-4346-A065-ED0968B5C4AE", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4CC740B-2776-4CE7-A26C-AD8A4FD88420", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F4FC4FC-3E77-4B8E-B2F7-1E234E7D89D6", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "372446BA-968E-4DB1-974D-C792AD63D810", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25F94F9D-189D-4A4E-99E7-6B3AD64FBE30", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17215C8C-26AB-4F7B-A082-F3D58D5FB1F7", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2893DE59-EF06-4B9E-ABE7-E85E68CC8F54", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "957B5A61-0297-41BA-8CEF-C673A1350341", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B24C76BB-9CC8-4DA4-95B0-657878E69390", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78E7ACFD-2D02-4C1E-B0EC-1D6B19DCFC52", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A501D0-28D1-4290-9EF4-057B6971A0D9", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "793FC152-00AD-4B1A-A6DA-6FCB25E043AE", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6456F292-2704-401E-A4B0-A3AF0AFA02FC", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB90FD02-9054-46B1-80C4-EA1F5708C266", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAD1E8D9-3031-4F6F-94FC-E99853929EB3", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43D544EE-2DE4-43E2-A5F0-EDAFE4392615", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "75CDFE82-EFFB-40B4-9D35-4E3E6403942F", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16D0CB44-0D75-4984-83AE-A05648A29B23", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C725353-3E04-46E4-8BD5-9A34A8D5B54B", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3194AC1-49A5-4D7B-BF65-41EFA6E1C376", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BCAD173-230B-4459-A318-99ECE6CF94A2", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}, {"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58825A3A-62A1-4A2A-BE02-03063515B0C9", "versionEndIncluding": "14.1.0.1", "versionStartIncluding": "14.1.0"}, {"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17E260EB-B9E0-4343-85D3-721B54093130", "versionEndIncluding": "14.1.2.7", "versionStartIncluding": "14.1.2.5"}], "operator": "OR"}]}], "sourceIdentifier": "f5sirt@f5.com"}

6.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2020-5943

6.5^/10

4.0^/10

Attach tags to `CVE-2020-5943`