Main Vulnerability Database SB2022050520

SB2022050520 - Path traversal in BIG-IP iControl REST and tmsh

Published: May 5, 2022

Security Bulletin ID SB2022050520

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2022-26835)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in iControl REST and tmsh command when processing directory traversal sequences in BIG-IP systems deployed in Standard and Appliance mode. An attacker with at least resource administrator role privileges can send a specially crafted HTTP request to the iControl REST API or pass specially crafted arguments to the tmsh command and view contents of arbitrary files on the system.

Remediation

Install update from vendor's website.

References

https://support.f5.com/csp/article/K53197140