CVE-2023-42768

Summary

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Affected Software

VendorProductVersion RangeStatus
F5BIG-IP17.1.0 < *unaffected
F5BIG-IP16.1.0 < 16.1.4affected
F5BIG-IP15.1.0 < 15.1.9affected
F5BIG-IP14.1.0 < *affected
F5BIG-IP13.1.0 < *affected

Weaknesses

  • CWE-613: CWE-613 Insufficient Session Expiration

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References