CVE-2021-23012
HIGHBIG-IP 13.1.0-13.1.3, 14.1.0-14.1.3, 15.1.0-15.1.2, 16.0.0-16.0.1 - OS Command Injection via System Support
Title source: llmDescription
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K04234247
Scores
CVSS v3
8.2
EPSS
0.0019
EPSS Percentile
40.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (14)
f5/big-ip_access_policy_manager
13.1.0 - 13.1.4
f5/big-ip_advanced_firewall_manager
13.1.0 - 13.1.4
f5/big-ip_advanced_web_application_firewall
13.1.0 - 13.1.4
f5/big-ip_analytics
13.1.0 - 13.1.4
f5/big-ip_application_acceleration_manager
13.1.0 - 13.1.4
f5/big-ip_application_security_manager
13.1.0 - 13.1.4
f5/big-ip_ddos_hybrid_defender
13.1.0 - 13.1.4
f5/big-ip_domain_name_system
13.1.0 - 13.1.4
f5/big-ip_fraud_protection_service
13.1.0 - 13.1.4
f5/big-ip_global_traffic_manager
13.1.0 - 13.1.4
... and 4 more
Published
May 10, 2021
Tracked Since
Feb 18, 2026