CVE-2024-23603

Published: Feb 14, 2024Modified: Sep 5, 2025

3.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Exploitability: 1.2 / Impact: 2.5

Source: NVD

Description

An SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected (6)

Products: F5: Big Ip Application Security Manager, Big Ip Advanced Web Application Firewall

2 products

Big Ip Application Security Manager

Big Ip Advanced Web Application Firewall

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Application Security Manager	From 15.1.0 to 15.1.9
F5 Big Ip Application Security Manager	From 16.1.0 to 16.1.4
F5 Big Ip Application Security Manager	Version 17.1.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
F5 Big Ip Advanced Web Application Firewall	From 15.1.0 to 15.1.10
F5 Big Ip Advanced Web Application Firewall	From 16.1.0 to 16.1.4
F5 Big Ip Advanced Web Application Firewall	Version 17.1.0

Related CWEs

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (2)

https://my.f5.com/manage/s/article/K000138047

Source: f5sirt@f5.com

Vendor Advisory

https://my.f5.com/manage/s/article/K000138047

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.