Description
On BIG-IP versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, BIG-IQ versions 7.0.0, 6.0.0-6.1.0, and 5.0.0-5.4.0, iWorkflow version 2.3.0, and Enterprise Manager version 3.1.1, authenticated users granted TMOS Shell (tmsh) privileges are able access objects on the file system which would normally be disallowed by tmsh restrictions. This allows for authenticated, low privileged attackers to access objects on the file system which would not normally be allowed.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K21711352
Scores
CVSS v3
5.5
EPSS
0.0018
EPSS Percentile
39.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-269
Status
published
Products (17)
f5/big-ip_access_policy_manager
11.5.1 - 11.6.5
f5/big-ip_advanced_firewall_manager
11.5.1 - 11.6.5
f5/big-ip_analytics
11.5.1 - 11.6.5
f5/big-ip_application_acceleration_manager
11.5.1 - 11.6.5
f5/big-ip_application_security_manager
11.5.1 - 11.6.5
f5/big-ip_domain_name_system
11.5.1 - 11.6.5
f5/big-ip_edge_gateway
11.5.1 - 11.6.5
f5/big-ip_fraud_protection_service
11.5.1 - 11.6.5
f5/big-ip_global_traffic_manager
11.5.1 - 11.6.5
f5/big-ip_link_controller
11.5.1 - 11.6.5
... and 7 more
Published
Dec 23, 2019
Tracked Since
Feb 18, 2026