CVE-2017-6145
7.3
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Exploitability: 3.9 / Impact: 3.4
Source: NVD
Description
iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens.
Affected (40)
Products: F5: Big Ip Access Policy Manager, Big Ip Advanced Firewall Manager, Big Ip Analytics, Big Ip Application Acceleration Manager, Big Ip Application Security Manager, Big Ip Domain Name System, Big Ip Link Controller, Big Ip Local Traffic Manager, Big Ip Policy Enforcement Manager, Big Ip Websafe
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 | |
| Version 12.1.0 |
References (2)
Source: af854a3a-2127-422b-91ae-364da2661108
MitigationVendor Advisory
Timeline
No history available yet.