CVE-2023-46748

BIG-IP Configuration utility authenticated SQL injection vulnerability

CVSS 8.8 HIGHEPSS 4.5%● KEVCWE-89

In short

An authenticated attacker with access to BIG-IP's configuration utility can inject malicious SQL commands to execute arbitrary system commands on the server. This is dangerous because it allows full control over the affected BIG-IP system.

Technical detail

SQL injection vulnerability in BIG-IP Configuration utility requires prior authentication and network access to management port or self IP addresses. Attacker can craft malicious SQL input to bypass query logic and execute arbitrary OS commands, resulting in complete system compromise.

Summary generated and translated by AI from the official description.

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

F5 · BIG-IP

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://my.f5.com/manage/s/article/K000137365 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46748 https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/