ID

VAR-202105-0647


CVE

CVE-2021-23012


TITLE

BIG-IP  Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-007011

DESCRIPTION

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Contains a command injection vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. BIG-IP has an input validation error vulnerability that arises from insufficient validation of user-supplied input. The following products and versions are affected: BIG-IP: 13.1.0, 13.1.0.4, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.1.0 , 14.1.0.2.0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99 .6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6.0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1 .2.0.11.37-ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1.2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1. 0.99.4-ENG Hotfix, 14

Trust: 2.34

sources: NVD: CVE-2021-23012 // JVNDB: JVNDB-2021-007011 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381498 // VULMON: CVE-2021-23012

AFFECTED PRODUCTS

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip ddos hybrid defenderscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23012
value: HIGH

Trust: 1.0

NVD: CVE-2021-23012
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-2131
value: HIGH

Trust: 0.6

VULHUB: VHN-381498
value: HIGH

Trust: 0.1

VULMON: CVE-2021-23012
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2021-23012
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-381498
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-23012
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.5
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2021-23012
baseSeverity: HIGH
baseScore: 8.2
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

PROBLEMTYPE DATA

problemtype:CWE-78

Trust: 1.1

problemtype:Command injection (CWE-77) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381498 // JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202104-2131

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:K04234247url:https://support.f5.com/csp/article/K04234247

Trust: 0.8

title:F5 BIG-IP Fixes for command injection vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=151778

Trust: 0.6

sources: CNNVD: CNNVD-202104-2131 // JVNDB: JVNDB-2021-007011

EXTERNAL IDS

db:NVDid:CVE-2021-23012

Trust: 3.4

db:JVNDBid:JVNDB-2021-007011

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021042912

Trust: 0.6

db:AUSCERTid:ESB-2021.1454

Trust: 0.6

db:CNNVDid:CNNVD-202104-2131

Trust: 0.6

db:VULHUBid:VHN-381498

Trust: 0.1

db:VULMONid:CVE-2021-23012

Trust: 0.1

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

REFERENCES

url:https://support.f5.com/csp/article/k04234247

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-23012

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021042912

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1454

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-shell-command-execution-35196

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/77.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-381498 // VULMON: CVE-2021-23012 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2131 // JVNDB: JVNDB-2021-007011 // NVD: CVE-2021-23012

SOURCES

db:VULHUBid:VHN-381498
db:VULMONid:CVE-2021-23012
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202104-2131
db:JVNDBid:JVNDB-2021-007011
db:NVDid:CVE-2021-23012

LAST UPDATE DATE

2026-06-19T20:40:15.863000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381498date:2022-06-28T00:00:00
db:VULMONid:CVE-2021-23012date:2021-05-24T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202104-2131date:2022-03-08T00:00:00
db:JVNDBid:JVNDB-2021-007011date:2022-01-31T03:11:00
db:NVDid:CVE-2021-23012date:2026-06-17T03:38:12.567

SOURCES RELEASE DATE

db:VULHUBid:VHN-381498date:2021-05-10T00:00:00
db:VULMONid:CVE-2021-23012date:2021-05-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202104-2131date:2021-04-29T00:00:00
db:JVNDBid:JVNDB-2021-007011date:2022-01-31T00:00:00
db:NVDid:CVE-2021-23012date:2021-05-10T15:15:07.427