What is CVE-2021-23031?

CVE-2021-23031 is a critical-severity vulnerability in F5 Big-ip_advanced_web_application_firewall, classified under OS Command Injection. CVSS score: 9.9/10. Published 2021-09-14.

How severe is CVE-2021-23031?

Critical severity. CVSS v3 base score is 9.9 out of 10.

RCE in F5 Big-ip_advanced_web_application_firewall

CVE-2021-23031

On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF an…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.020 (78.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

F5 Big-ip_advanced_web_application_firewall
F5 Big-ip_application_security_manager
N/a Big-ip Advanced Waf And Asm — versions 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

f5sirt@f5.com (x_refsource_MISC, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2021-23031?: CVE-2021-23031 is a critical-severity vulnerability in F5 Big-ip_advanced_web_application_firewall, classified under OS Command Injection. CVSS score: 9.9/10. Published 2021-09-14.
How severe is CVE-2021-23031?: Critical severity. CVSS v3 base score is 9.9 out of 10.