CVE-2021-23016

On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: May 10, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-23016
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
f5 / big-ip_access_policy_manager	11.6.1	11.6.5.x
f5 / big-ip_access_policy_manager	12.1.0	12.1.6.x
f5 / big-ip_access_policy_manager	16.0.0	16.0.1.x
f5 / big-ip_access_policy_manager	13.1.0	13.1.4
f5 / big-ip_access_policy_manager	14.1.0	14.1.4.1
f5 / big-ip_access_policy_manager	15.1.0	15.1.3

https://support.f5.com/csp/article/K75540265

Vulnerability Database

290,206

CVE-2021-23016