Information disclosure in BIG-IP APM

#VU14176 Information disclosure in BIG-IP APM

Published: 2018-08-01 | Updated: 2018-08-02

Vulnerability identifier: #VU14176

Vulnerability risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2018-5544

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BIG-IP APM
Hardware solutions / Security hardware applicances

Vendor: F5 Networks

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to insufficient input validation. A remote attacker can supply specially ctafted URI parameters when the system renders certain pages with a logon agent or a confirm box and obtain potentially sensitive configuration information, including partition and agent names.

Mitigation
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Vulnerable software versions

BIG-IP APM: 12.1.0 - 13.1.1

External links
http://support.f5.com/csp/article/K23024812

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in F5 BIG-IP APM