Improper input validation in Python Flask module in BIG-IQ Centralized Management and F5OS
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-1000656 CVE-2019-1010083 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
BIG-IQ Centralized Management Server applications / Remote management servers, RDP, SSH F5OS Operating systems & Components / Operating system |
| Vendor | F5 Networks |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU18150
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2018-1000656
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing JSON data in incorrect encoding. A remote attacker can supply a specially crafted JSON string and consume all available memory resources.
Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsBIG-IQ Centralized Management: 6.0.1 - 8.0.0.1
F5OS: 1.1.0 - 1.1.2
External linkshttp://support.f5.com/csp/article/K63597327
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU19269
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2019-1010083
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the package allows for unsafe encoded JSON data to be decoded. A remote attacker can perform a denial of service attack on the affected system.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsBIG-IQ Centralized Management: 6.0.1 - 8.0.0.1
F5OS: 1.1.0 - 1.1.2
External linkshttp://support.f5.com/csp/article/K63597327
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
