F5 BIG-IP Next Central Manager SQL Injection

high Web App Scanning Plugin ID 114281

Synopsis

F5 BIG-IP Next Central Manager SQL Injection

Description

F5 BIG-IP Next Central Manager version 20.0.1 < 20.2.0 is affected by a SQL Injection. An unauthenticated, remote attacker can exploit this to bypass authentication or extract information such as user hashes.

Solution

Upgrade to F5 BIG-IP Next Central Manager version 20.2.0 or later.

See Also

https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/

https://my.f5.com/manage/s/article/K000138732

https://my.f5.com/manage/s/article/K000138733

Plugin Details

Severity: High

ID: 114281

Type: remote

Published: 5/16/2024

Updated: 5/27/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-21793

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2024-21793

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/8/2024

Vulnerability Publication Date: 5/8/2024

Reference Information

CVE: CVE-2024-21793, CVE-2024-26026