BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
References
Link | Resource |
---|---|
https://my.f5.com/manage/s/article/K98606833 | Vendor Advisory |
https://my.f5.com/manage/s/article/K98606833 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
Configuration 9 (hide)
|
Configuration 10 (hide)
|
Configuration 11 (hide)
|
Configuration 12 (hide)
|
History
23 Jan 2025, 19:47
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:* cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:* |
|
References | () https://my.f5.com/manage/s/article/K98606833 - Vendor Advisory | |
First Time |
F5 big-ip Analytics
F5 big-ip Application Security Manager F5 big-ip Fraud Protection Service F5 big-iq Centralized Management F5 big-ip Global Traffic Manager F5 big-ip Advanced Firewall Manager F5 F5 big-ip Application Acceleration Manager F5 big-ip Link Controller F5 big-ip Access Policy Manager F5 big-ip Domain Name System F5 big-ip Policy Enforcement Manager F5 big-ip Local Traffic Manager |
21 Nov 2024, 08:54
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://my.f5.com/manage/s/article/K98606833 - |
14 Feb 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-14 17:15
Updated : 2025-01-23 19:47
NVD link : CVE-2024-21782
Mitre link : CVE-2024-21782
CVE.ORG link : CVE-2024-21782
JSON object : View
Products Affected
f5
- big-ip_advanced_firewall_manager
- big-ip_analytics
- big-ip_application_acceleration_manager
- big-ip_fraud_protection_service
- big-ip_link_controller
- big-ip_access_policy_manager
- big-iq_centralized_management
- big-ip_application_security_manager
- big-ip_domain_name_system
- big-ip_global_traffic_manager
- big-ip_local_traffic_manager
- big-ip_policy_enforcement_manager
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')