ID

VAR-202205-0394


CVE

CVE-2022-1388


TITLE

F5 BIG-IP Access control error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202205-2141

DESCRIPTION

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. F5 BIG-IP is the United States F5 The company's integrated traffic management, DNS , inbound and outbound rules, web application firewall, web An application delivery platform with functions such as gateway and load balancing. F5 BIG-IP iControl REST Authentication Bypass Vulnerability, which is due to iControl REST There is a bypass defect in the component's authentication function, which causes the authorized access mechanism to fail. An unauthenticated attacker exploits this vulnerability by BIG-IP The server sends maliciously constructed requests, bypasses authentication, executes arbitrary system commands on the target system, creates or deletes files, and disables services

Trust: 1.08

sources: NVD: CVE-2022-1388 // VULHUB: VHN-419501 // VULMON: CVE-2022-1388

AFFECTED PRODUCTS

vendor:f5model:big-ip advanced firewall managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip analyticsscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:16.1.2.2

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:gteversion:15.1.0

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip local traffic managerscope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip application security managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:16.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:14.1.4.6

Trust: 1.0

vendor:f5model:big-ip link controllerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:ltversion:13.1.5

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:ltversion:15.1.5.1

Trust: 1.0

vendor:f5model:big-ip global traffic managerscope:gteversion:13.1.0

Trust: 1.0

vendor:f5model:big-ip advanced firewall managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip analyticsscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip policy enforcement managerscope:gteversion:14.1.0

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:12.1.6

Trust: 1.0

vendor:f5model:big-ip domain name systemscope:lteversion:11.6.5

Trust: 1.0

vendor:f5model:big-ip fraud protection servicescope:gteversion:12.1.0

Trust: 1.0

vendor:f5model:big-ip access policy managerscope:gteversion:11.6.1

Trust: 1.0

vendor:f5model:big-ip application acceleration managerscope:gteversion:15.1.0

Trust: 1.0

sources: NVD: CVE-2022-1388

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2022-1388
value: CRITICAL

Trust: 1.0

CNNVD: CNNVD-202205-2141
value: CRITICAL

Trust: 0.6

VUL-HUB: VHN-419501
value: HIGH RISK

Trust: 0.1

VULMON: CVE-2022-1388
value: HIGH

Trust: 0.1

NVD: CVE-2022-1388
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.1

VULHUB: VHN-419501
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

NVD: CVE-2022-1388
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-419501 // VULMON: CVE-2022-1388 // CNNVD: CNNVD-202205-2141 // NVD: CVE-2022-1388

PROBLEMTYPE DATA

problemtype:CWE-306

Trust: 1.1

sources: VULHUB: VHN-419501 // NVD: CVE-2022-1388

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2141

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202205-2141

CONFIGURATIONS

sources: NVD: CVE-2022-1388

PATCH

title:F5 BIG-IP Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=191844

Trust: 0.6

title: - url:https://github.com/zephrfish/f5-cve-2022-1388-exploit

Trust: 0.1

title: - url:https://github.com/devengpk/cve-2022-1388

Trust: 0.1

title: - url:https://github.com/iveresk/cve-2022-1388-1veresk

Trust: 0.1

title: - url:https://github.com/chocapikk/cve-2022-1388

Trust: 0.1

title: - url:https://github.com/zeyad-azima/cve-2022-1388

Trust: 0.1

title: - url:https://github.com/justakazh/cve-2022-1388

Trust: 0.1

title: - url:https://github.com/iveresk/cve-2022-1388-iveresk-command-shell

Trust: 0.1

title: - url:https://github.com/trhacknon/f5-cve-2022-1388-exploit

Trust: 0.1

title: - url:https://github.com/thatonesecguy/cve-2022-1388-exploit

Trust: 0.1

title: - url:https://github.com/revanmalang/cve-2022-1388

Trust: 0.1

title: - url:https://github.com/linjacck/cve-2022-1388-exp

Trust: 0.1

sources: VULMON: CVE-2022-1388 // CNNVD: CNNVD-202205-2141

EXTERNAL IDS

db:NVDid:CVE-2022-1388

Trust: 1.8

db:PACKETSTORMid:167007

Trust: 1.6

db:PACKETSTORMid:167150

Trust: 1.6

db:PACKETSTORMid:167118

Trust: 1.6

db:EXPLOIT-DBid:50932

Trust: 0.6

db:CS-HELPid:SB2022051005

Trust: 0.6

db:CXSECURITYid:WLB-2022050040

Trust: 0.6

db:CNNVDid:CNNVD-202205-2141

Trust: 0.6

db:CNVDid:CNVD-2022-35519

Trust: 0.1

db:VULHUBid:VHN-419501

Trust: 0.1

db:VULMONid:CVE-2022-1388

Trust: 0.1

sources: VULHUB: VHN-419501 // VULMON: CVE-2022-1388 // CNNVD: CNNVD-202205-2141 // NVD: CVE-2022-1388

REFERENCES

url:http://packetstormsecurity.com/files/167150/f5-big-ip-icontrol-remote-code-execution.html

Trust: 2.2

url:http://packetstormsecurity.com/files/167007/f5-big-ip-remote-code-execution.html

Trust: 2.2

url:https://support.f5.com/csp/article/k23605346

Trust: 1.6

url:http://packetstormsecurity.com/files/167118/f5-big-ip-16.0.x-remote-code-execution.html

Trust: 1.6

url:https://cxsecurity.com/cveshow/cve-2022-1388/

Trust: 0.6

url:https://cxsecurity.com/issue/wlb-2022050040

Trust: 0.6

url:https://www.exploit-db.com/exploits/50932

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051005

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-multiple-vulnerabilities-38241

Trust: 0.6

url:https://vigilance.fr/vulnerability/f5-big-ip-code-execution-via-icontrol-rest-38284

Trust: 0.6

url:cve-2022-1388

Trust: 0.2

url:167150

Trust: 0.1

url:167118

Trust: 0.1

url:167007

Trust: 0.1

url:cnvd-2022-35519

Trust: 0.1

sources: VULHUB: VHN-419501 // CNNVD: CNNVD-202205-2141 // NVD: CVE-2022-1388

CREDITS

Alt3kx

Trust: 0.6

sources: CNNVD: CNNVD-202205-2141

SOURCES

db:VULHUBid:VHN-419501
db:VULMONid:CVE-2022-1388
db:CNNVDid:CNNVD-202205-2141
db:NVDid:CVE-2022-1388

LAST UPDATE DATE

2023-02-28T22:31:59.916000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-419501date:2022-09-30T00:00:00
db:VULMONid:CVE-2022-1388date:2023-01-24T00:00:00
db:CNNVDid:CNNVD-202205-2141date:2022-05-16T00:00:00
db:NVDid:CVE-2022-1388date:2023-01-24T16:08:00

SOURCES RELEASE DATE

db:VULHUBid:VHN-419501date:2022-05-05T00:00:00
db:VULMONid:CVE-2022-1388date:2022-05-05T00:00:00
db:CNNVDid:CNNVD-202205-2141date:2022-05-04T00:00:00
db:NVDid:CVE-2022-1388date:2022-05-05T17:15:00