CVE-2021-23050

Published: Sep 14, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected (7)

Products: F5: Big Ip Advanced Web Application Firewall, Big Ip Application Security Manager, Nginx App Protect

3 products

Big Ip Advanced Web Application Firewall

Big Ip Application Security Manager

Nginx App Protect

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Advanced Web Application Firewall	From 15.1.0 to 15.1.3.1
F5 Big Ip Advanced Web Application Firewall	From 16.0.0 to 16.0.1.2
F5 Big Ip Application Security Manager	From 15.1.0 to 15.1.3.1
F5 Big Ip Application Security Manager	From 16.0.0 to 16.0.1.2
F5 Nginx App Protect	From 1.0.0 to 1.3.0
F5 Nginx App Protect	From 2.0.0 to 2.3.0
F5 Nginx App Protect	From 3.0.0 to 3.5.0

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://support.f5.com/csp/article/K44553214

Source: f5sirt@f5.com

Vendor Advisory

https://support.f5.com/csp/article/K44553214

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.