Detections
Analytics

F5 Networks BIG-IP : BIG-IP AFM vulnerability (K25160703)

medium Nessus Plugin ID 139818

Language:

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

A vulnerability in the BIG-IP AFM Configuration utility may allow any authenticated BIG-IP user to perform a read-only blind SQL injection attack. (CVE-2020-5920)

Impact

An attacker may be able to extract table name enumeration and user account names. All other data available through the injection is already available to an attacker through normal mechanisms.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K25160703.

See Also

https://my.f5.com/manage/s/article/K25160703

Plugin Details

Severity: Medium

ID: 139818

File Name: f5_bigip_SOL25160703.nasl

Version: 1.9

Type: local

Published: 8/26/2020

Updated: 11/3/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-5920

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Exploit Ease: No known exploits are available

Patch Publication Date: 8/25/2020

Vulnerability Publication Date: 8/26/2020

Reference Information

CVE: CVE-2020-5920

IAVA: 2020-A-0395-S