Main Vulnerability Database Vulnerabilities #VU62824

#VU62824 Path traversal in BIG-IP - CVE-2022-26835

Published: May 5, 2022

Vulnerability identifier: #VU62824

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-26835

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
BIG-IP

Software vendor:
F5 Networks

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error in iControl REST and tmsh command when processing directory traversal sequences in BIG-IP systems deployed in Standard and Appliance mode. An attacker with at least resource administrator role privileges can send a specially crafted HTTP request to the iControl REST API or pass specially crafted arguments to the tmsh command and view contents of arbitrary files on the system.

Remediation

Install update from vendor's website.

External links

https://support.f5.com/csp/article/K53197140