VDB
CVE-2021-22994
CVE-2021-22994
PUBLISHED
CVSS 6.099999904632568 MEDIUM
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
EPSS 0.32% · 55.1th percentile
Risk Scores
CVSS 3.1
6.099999904632568
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.32%
55.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| f5 | big-ip_application_security_manager | 12.1.0, 13.1.0, 14.1.0 |
| f5 | big-ip_policy_enforcement_manager | 13.1.0, 16.0.0, 15.1.0 |
| f5 | big-ip_analytics | 11.6.1, 16.0.0, 15.1.0 |
| f5 | big-ip_ddos_hybrid_defender | 14.1.0, 16.0.0, 15.1.0 |
| f5 | big-ip_domain_name_system | 15.1.0, 11.6.1, 12.1.0 |
| f5 | big-ip_global_traffic_manager | 11.6.1, 14.1.0, 16.0.0 |
| f5 | big-ip_advanced_firewall_manager | 15.1.0, 16.0.0, 14.1.0 |
| f5 | big-ip_application_acceleration_manager | 12.1.0, 13.1.0, 16.0.0 |
| f5 | big-ip_fraud_protection_service | 11.6.1, 16.0.0, 15.1.0 |
| f5 | big-ip_advanced_web_application_firewall | 15.1.0, 11.6.1, 12.1.0 |
| f5 | ssl_orchestrator | 15.1.0, 11.6.1, 12.1.0 |
| n/a | BIG-IP | * |
| f5 | big-ip_access_policy_manager | 11.6.1, 16.0.0, 15.1.0 |
| f5 | big-ip_local_traffic_manager | 12.1.0, 15.1.0, 14.1.0 |
| f5 | big-ip_link_controller | 11.6.1, 15.1.0, 14.1.0 |
Exploit Intelligence
- https://support.f5.com/csp/article/K66851119 (circl)
- exploit_f5_bigip_cve_2021_22986_log.yar (github-yara)
- exploit_f5_bigip_cve_2021_22986_log.yar (github-yara)
- exploit_f5_bigip_cve_2021_22986_log.yar (github-yara)
- exploit_f5_bigip_cve_2021_22986_log.yar (github-yara)
- LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1.yar (github-yara)
- LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1.yar (github-yara)
- LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1.yar (github-yara)
- LOG_F5_BIGIP_Exploitation_Artefacts_CVE_2021_22986_Mar21_1.yar (github-yara)
- LOG.yar (github-yara)
…and 43 more exploits
Timeline
- Mar 11, 2021 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Sep 23, 2021 PoC Published
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
References
- https://support.f5.com/csp/article/K03009991 advisory
- https://support.f5.com/csp/article/K68251873 advisory
- https://support.f5.com/csp/article/K67830124 advisory
- https://support.f5.com/csp/article/K66851119 advisory
- https://support.f5.com/csp/article/K56715231 advisory
- https://support.f5.com/csp/article/K51674118 advisory
- https://support.f5.com/csp/article/K18132488 advisory
- https://support.f5.com/csp/article/K45056101 advisory
- https://support.f5.com/csp/article/K52510511 advisory
- https://support.f5.com/csp/article/K70031188 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2021-22994 advisory