CVE-2023-28406

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: May 3, 2023
Updated: May 4, 2023
CVE: CVE-2023-28406
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
f5 / big-ip_analytics	13.1.0	13.1.5.x
f5 / big-ip_policy_enforcement_manager	13.1.0	13.1.5.x
f5 / big-ip_local_traffic_manager	13.1.0	13.1.5.x
f5 / big-ip_link_controller	13.1.0	13.1.5.x
f5 / big-ip_global_traffic_manager	13.1.0	13.1.5.x
f5 / big-ip_fraud_protection_service	13.1.0	13.1.5.x
f5 / big-ip_domain_name_system	13.1.0	13.1.5.x
f5 / big-ip_application_security_manager	13.1.0	13.1.5.x
f5 / big-ip_application_acceleration_manager	13.1.0	13.1.5.x
f5 / big-ip_advanced_firewall_manager	13.1.0	13.1.5.x
f5 / big-ip_access_policy_manager	13.1.0	13.1.5.x
f5 / big-ip_advanced_web_application_firewall	13.1.0	13.1.5.x
f5 / big-ip_application_visibility_and_reporting	13.1.0	13.1.5.x
f5 / big-ip_carrier-grade_nat	13.1.0	13.1.5.x
f5 / big-ip_ddos_hybrid_defender	13.1.0	13.1.5.x
f5 / big-ip_edge_gateway	13.1.0	13.1.5.x
f5 / big-ip_ssl_orchestrator	13.1.0	13.1.5.x
f5 / big-ip_webaccelerator	13.1.0	13.1.5.x
f5 / big-ip_websafe	13.1.0	13.1.5.x
f5 / big-ip_domain_name_system	16.1.0	16.1.3.4
f5 / big-ip_edge_gateway	16.1.0	16.1.3.4
f5 / big-ip_fraud_protection_service	16.1.0	16.1.3.4
f5 / big-ip_global_traffic_manager	16.1.0	16.1.3.4
f5 / big-ip_link_controller	16.1.0	16.1.3.4
f5 / big-ip_local_traffic_manager	16.1.0	16.1.3.4
f5 / big-ip_policy_enforcement_manager	16.1.0	16.1.3.4
f5 / big-ip_ssl_orchestrator	16.1.0	16.1.3.4
f5 / big-ip_webaccelerator	16.1.0	16.1.3.4
f5 / big-ip_websafe	16.1.0	16.1.3.4
f5 / big-ip_access_policy_manager	15.1.0	15.1.8.2
f5 / big-ip_advanced_firewall_manager	15.1.0	15.1.8.2
f5 / big-ip_advanced_web_application_firewall	15.1.0	15.1.8.2
f5 / big-ip_analytics	15.1.0	15.1.8.2
f5 / big-ip_application_acceleration_manager	15.1.0	15.1.8.2
f5 / big-ip_application_security_manager	15.1.0	15.1.8.2
f5 / big-ip_application_visibility_and_reporting	15.1.0	15.1.8.2
f5 / big-ip_carrier-grade_nat	15.1.0	15.1.8.2
f5 / big-ip_ddos_hybrid_defender	15.1.0	15.1.8.2
f5 / big-ip_domain_name_system	15.1.0	15.1.8.2
f5 / big-ip_edge_gateway	15.1.0	15.1.8.2
f5 / big-ip_fraud_protection_service	15.1.0	15.1.8.2
f5 / big-ip_global_traffic_manager	15.1.0	15.1.8.2
f5 / big-ip_link_controller	15.1.0	15.1.8.2
f5 / big-ip_local_traffic_manager	15.1.0	15.1.8.2
f5 / big-ip_policy_enforcement_manager	15.1.0	15.1.8.2
f5 / big-ip_ssl_orchestrator	15.1.0	15.1.8.2
f5 / big-ip_webaccelerator	15.1.0	15.1.8.2
f5 / big-ip_websafe	15.1.0	15.1.8.2
f5 / big-ip_websafe	14.1.0	14.1.5.4
f5 / big-ip_webaccelerator	14.1.0	14.1.5.4
f5 / big-ip_ssl_orchestrator	14.1.0	14.1.5.4
f5 / big-ip_policy_enforcement_manager	14.1.0	14.1.5.4
f5 / big-ip_local_traffic_manager	14.1.0	14.1.5.4
f5 / big-ip_link_controller	14.1.0	14.1.5.4
f5 / big-ip_global_traffic_manager	14.1.0	14.1.5.4
f5 / big-ip_fraud_protection_service	14.1.0	14.1.5.4
f5 / big-ip_edge_gateway	14.1.0	14.1.5.4
f5 / big-ip_domain_name_system	14.1.0	14.1.5.4
f5 / big-ip_ddos_hybrid_defender	14.1.0	14.1.5.4
f5 / big-ip_carrier-grade_nat	14.1.0	14.1.5.4
f5 / big-ip_application_visibility_and_reporting	14.1.0	14.1.5.4
f5 / big-ip_application_security_manager	14.1.0	14.1.5.4
f5 / big-ip_application_acceleration_manager	14.1.0	14.1.5.4
f5 / big-ip_analytics	14.1.0	14.1.5.4
f5 / big-ip_advanced_web_application_firewall	14.1.0	14.1.5.4
f5 / big-ip_advanced_firewall_manager	14.1.0	14.1.5.4
f5 / big-ip_access_policy_manager	14.1.0	14.1.5.4
f5 / big-ip_websafe	17.0.0	17.1.0.1
f5 / big-ip_webaccelerator	17.0.0	17.1.0.1
f5 / big-ip_ssl_orchestrator	17.0.0	17.1.0.1
f5 / big-ip_policy_enforcement_manager	17.0.0	17.1.0.1
f5 / big-ip_local_traffic_manager	17.0.0	17.1.0.1
f5 / big-ip_link_controller	17.0.0	17.1.0.1
f5 / big-ip_global_traffic_manager	17.0.0	17.1.0.1
f5 / big-ip_fraud_protection_service	17.0.0	17.1.0.1
f5 / big-ip_edge_gateway	17.0.0	17.1.0.1
f5 / big-ip_domain_name_system	17.0.0	17.1.0.1
f5 / big-ip_ddos_hybrid_defender	17.0.0	17.1.0.1
f5 / big-ip_ddos_hybrid_defender	16.1.0	16.1.3.4
f5 / big-ip_carrier-grade_nat	17.0.0	17.1.0.1
f5 / big-ip_carrier-grade_nat	16.1.0	16.1.3.4
f5 / big-ip_application_visibility_and_reporting	17.0.0	17.1.0.1
f5 / big-ip_application_visibility_and_reporting	16.1.0	16.1.3.4
f5 / big-ip_application_security_manager	17.0.0	17.1.0.1
f5 / big-ip_application_security_manager	16.1.0	16.1.3.4
f5 / big-ip_application_acceleration_manager	17.0.0	17.1.0.1
f5 / big-ip_application_acceleration_manager	16.1.0	16.1.3.4
f5 / big-ip_analytics	17.0.0	17.1.0.1
f5 / big-ip_analytics	16.1.0	16.1.3.4
f5 / big-ip_advanced_web_application_firewall	17.0.0	17.1.0.1
f5 / big-ip_advanced_web_application_firewall	16.1.0	16.1.3.4
f5 / big-ip_advanced_firewall_manager	17.0.0	17.1.0.1
f5 / big-ip_advanced_firewall_manager	16.1.0	16.1.3.4
f5 / big-ip_access_policy_manager	17.0.0	17.1.0.1
f5 / big-ip_access_policy_manager	16.1.0	16.1.3.4

https://my.f5.com/manage/s/article/K000132768

Vulnerability Database

289,599

CVE-2023-28406