CVE-2021-23028

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: Sep 14, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-23028
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
f5 / big-ip_application_security_manager	15.1.0	15.1.3.1
f5 / big-ip_advanced_web_application_firewall	13.1.3.5	13.1.3.6.x
f5 / big-ip_advanced_web_application_firewall	14.1.3.1	14.1.4.1.x
f5 / big-ip_application_security_manager	13.1..3.5	13.1.3.6.x
f5 / big-ip_application_security_manager	14.1.3.1	14.1.4.1.x
f5 / big-ip_advanced_web_application_firewall	16.0.1	16.0.1.x
f5 / big-ip_application_security_manager	16.0.1	16.0.1.x
f5 / big-ip_advanced_web_application_firewall	15.1.1	15.1.3.1

https://support.f5.com/csp/article/K00602225

Vulnerability Database

289,599

CVE-2021-23028