Link following in BIG-IP Analytics - CVE-2019-6679
Published: December 23, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30502
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-6679
CWE-ID: CWE-59
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: F5 Networks
Affected software:
BIG-IP Analytics
BIG-IP Analytics
Detailed vulnerability description
The vulnerability allows a local authenticated user to manipulate data.
On BIG-IP versions 15.0.0-15.0.1, 14.1.0.2-14.1.2.2, 14.0.0.5-14.0.1, 13.1.1.5-13.1.3.1, 12.1.4.1-12.1.5, 11.6.4-11.6.5, and 11.5.9-11.5.10, the access controls implemented by scp.whitelist and scp.blacklist are not properly enforced for paths that are symlinks. This allows authenticated users with SCP access to overwrite certain configuration files that would otherwise be restricted.
How to mitigate CVE-2019-6679
Install update from vendor's website.