Main Vulnerability Database SB2021021903

SB2021021903 - Information disclosure in curl implementation within Command Line Interface, EAV Monitors and iRules components in F5 BIG-IP products

Published: February 19, 2021

Security Bulletin ID SB2021021903

Severity

Medium

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2020-8284)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way cURL handles PASV responses. A remote attacker with control over malicious FTP server can use the PASV response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://support.f5.com/csp/article/K63525058

Vulnerable Software

BIG-IP SSLO: 14.1.0 - 16.0.1.1
BIG-IP PEM: 14.1.0 - 16.0.1.1
BIG-IP Link Controller: 14.1.0 - 16.0.1.1
BIG-IP GTM: 14.1.0 - 16.0.1.1
BIG-IP FPS: 14.1.0 - 16.0.1.1
BIG-IP DNS: 14.1.0 - 16.0.1.1
BIG-IP DDHD: 14.1.0 - 16.0.1.1
BIG-IP ASM: 14.1.0 - 16.0.1.1
BIG-IP APM: 14.1.0 - 16.0.1.1
BIG-IP Analytics: 14.1.0 - 16.0.1.1
BIG-IP AFM: 14.1.0 - 16.0.1.1
BIG-IP Advanced WAF: 14.1.0 - 16.0.1.1
BIG-IP AAM: 14.1.0 - 16.0.1.1
BIG-IP LTM: 14.1.0 - 16.0.1.1
BIG-IP: 14.1.0 - 16.0.1.1

SB2021021903 - Information disclosure in curl implementation within Command Line Interface, EAV Monitors and iRules components in F5 BIG-IP products

Breakdown by Severity

Description

Remediation

References

Please verify you're human