CVE-2021-23015
HIGHF5 BIG-IP 13.1.0-13.1.3.6, 14.1.0-14.1.4.1, 15.1.0-15.1.2.1, 16.0.x - Auth Bypass via iControl REST
Title source: llmDescription
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K74151369
Scores
CVSS v3
7.2
EPSS
0.0006
EPSS Percentile
18.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (14)
f5/big-ip_access_policy_manager
13.1.0 - 13.1.4
f5/big-ip_advanced_firewall_manager
13.1.0 - 13.1.4
f5/big-ip_advanced_web_application_firewall
13.1.0 - 13.1.4
f5/big-ip_analytics
13.1.0 - 13.1.4
f5/big-ip_application_acceleration_manager
13.1.0 - 13.1.4
f5/big-ip_application_security_manager
13.1.0 - 13.1.4
f5/big-ip_ddos_hybrid_defender
13.1.0 - 13.1.4
f5/big-ip_domain_name_system
13.1.0 - 13.1.4
f5/big-ip_fraud_protection_service
13.1.0 - 13.1.4
f5/big-ip_global_traffic_manager
13.1.0 - 13.1.4
... and 4 more
Published
May 10, 2021
Tracked Since
Feb 18, 2026