ID

VAR-202105-1194


CVE

CVE-2021-23015


TITLE

BIG-IP  Authentication Vulnerability in Microsoft

Trust: 0.8

sources: JVNDB: JVNDB-2021-007013

DESCRIPTION

On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. BIG-IP Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. F5 BIG-IP is an application delivery platform integrated with network traffic management, application security management, load balancing and other functions of the US company F5. BIG-IP has an access control error vulnerability that results from improperly restricting access. The following products and versions are affected: BIG-IP: 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.3, 13.1.3.2, 13.1.3.4, 13.1.3.5, 13.1.3.6, 14.1.0, 14.1.0.2 .0.45.4 Hotfix-ENG, 14.1.0.2.0.62.4 Hotfix-ENG, 14.1.0.3.0.79.6-ENG Hotfix, 14.1.0.3.0.97.6-ENG Hotfix, 14.1.0.3.0.99.6-ENG Hotfix, 14.1.0.5.0.15.5-ENG Hotfix, 14.1.0.5.0.36.5-ENG Hotfix, 14.1.0.5.0.40.5-ENG Hotfix, 14.1.0.6.0.11.9-ENG Hotfix, 14.1.0.6. 0.14.9-ENG Hotfix, 14.1.0.6.0.68.9-ENG Hotfix, 14.1.0.6.0.70.9-ENG Hotfix, 14.1.1, 14.1.2, 14.1.2-0.89.37, 14.1.2.0.11.37 -ENG Hotfix, 14.1.2.0.18.37-ENG Hotfix, 14.1.2.0.32.37-ENG Hotfix, 14.1.2.1, 14.1.2.1.0.14.4-ENG Hotfix, 14.1.2.1.0.16.4-ENG Hotfix, 14.1. 2.1.0.34.4-ENG Hotfix, 14.1.2.1.0.46.4-ENG Hotfix, 14.1.2.1.0.83.4 Hotfix-ENG, 14.1.2.1.0.97.4-ENG Hotfix, 14.1.2.1.0.99.4- ENG Hotfix, 14.1.2.1.0.105

Trust: 2.34

sources: NVD: CVE-2021-23015 // JVNDB: JVNDB-2021-007013 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-381501 // VULMON: CVE-2021-23015

AFFECTED PRODUCTS

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:lteversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip ddos hybrid defenderscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:14.1.4

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.0.1.1

Trust: 1.0

vendor:f5model:big-ip ssl orchestratorscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:13.1.4

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.0.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.3

Trust: 1.0

vendor:f5model:big-ip advanced web application firewallscope: - version: -

Trust: 0.8

vendor:f5model:big-ip global traffic managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip advanced firewall managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip fraud protection servicescope: - version: -

Trust: 0.8

vendor:f5model:big-ip application acceleration managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip ddos hybrid defenderscope: - version: -

Trust: 0.8

vendor:f5model:big-ip access policy managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip application security managerscope: - version: -

Trust: 0.8

vendor:f5model:big-ip domain name systemscope: - version: -

Trust: 0.8

vendor:f5model:big-ip analyticsscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-007013 // NVD: CVE-2021-23015

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-23015
value: HIGH

Trust: 1.0

NVD: CVE-2021-23015
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202104-2145
value: HIGH

Trust: 0.6

VULHUB: VHN-381501
value: MEDIUM

Trust: 0.1

VULMON: CVE-2021-23015
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2021-23015
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-381501
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-23015
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2021-23015
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-381501 // VULMON: CVE-2021-23015 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2145 // JVNDB: JVNDB-2021-007013 // NVD: CVE-2021-23015

PROBLEMTYPE DATA

problemtype:CWE-863

Trust: 1.1

problemtype:Bad authentication (CWE-863) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-381501 // JVNDB: JVNDB-2021-007013 // NVD: CVE-2021-23015

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202104-2145

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

PATCH

title:K74151369url:https://support.f5.com/csp/article/K74151369

Trust: 0.8

title:F5 BIG-IP Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=149902

Trust: 0.6

sources: CNNVD: CNNVD-202104-2145 // JVNDB: JVNDB-2021-007013

EXTERNAL IDS

db:NVDid:CVE-2021-23015

Trust: 3.4

db:JVNDBid:JVNDB-2021-007013

Trust: 0.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:AUSCERTid:ESB-2021.1448.2

Trust: 0.6

db:CS-HELPid:SB2021042918

Trust: 0.6

db:CNNVDid:CNNVD-202104-2145

Trust: 0.6

db:VULHUBid:VHN-381501

Trust: 0.1

db:VULMONid:CVE-2021-23015

Trust: 0.1

sources: VULHUB: VHN-381501 // VULMON: CVE-2021-23015 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2145 // JVNDB: JVNDB-2021-007013 // NVD: CVE-2021-23015

REFERENCES

url:https://support.f5.com/csp/article/k74151369

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-23015

Trust: 0.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2021.1448.2

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-privilege-escalation-via-icontrol-35194

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021042918

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/863.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-381501 // VULMON: CVE-2021-23015 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202104-2145 // JVNDB: JVNDB-2021-007013 // NVD: CVE-2021-23015

SOURCES

db:VULHUBid:VHN-381501
db:VULMONid:CVE-2021-23015
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202104-2145
db:JVNDBid:JVNDB-2021-007013
db:NVDid:CVE-2021-23015

LAST UPDATE DATE

2026-06-19T21:26:59.811000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-381501date:2021-05-24T00:00:00
db:VULMONid:CVE-2021-23015date:2021-05-24T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202104-2145date:2021-07-26T00:00:00
db:JVNDBid:JVNDB-2021-007013date:2022-01-31T03:11:00
db:NVDid:CVE-2021-23015date:2026-06-17T03:38:12.917

SOURCES RELEASE DATE

db:VULHUBid:VHN-381501date:2021-05-10T00:00:00
db:VULMONid:CVE-2021-23015date:2021-05-10T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202104-2145date:2021-04-29T00:00:00
db:JVNDBid:JVNDB-2021-007013date:2022-01-31T00:00:00
db:NVDid:CVE-2021-23015date:2021-05-10T15:15:07.493