CVE-2021-23002
First published: Wed Mar 31 2021(Updated: )
When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Credit: f5sirt@f5.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 Access Policy Manager Clients | >=7.1.5<7.1.8.5 | |
| F5 Access Policy Manager Clients | >=7.1.9<7.1.9.8 | |
| F5 Access Policy Manager Clients | >=7.2.1<7.2.1.1 | |
| F5 Big-ip Access Policy Manager | >=11.6.1<=11.6.5 | |
| F5 Big-ip Access Policy Manager | >=12.1.0<=12.1.5 | |
| F5 Big-ip Access Policy Manager | >=13.1.0<13.1.3.6 | |
| F5 Big-ip Access Policy Manager | >=14.1.0<14.1.4 | |
| F5 Big-ip Access Policy Manager | >=15.1.0<15.1.2.1 | |
| F5 Big-ip Access Policy Manager | >=16.0.0<16.0.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-23002?
CVE-2021-23002 is a vulnerability in BIG-IP APM that allows the session ID to be visible in the arguments of the request URL.
How does CVE-2021-23002 affect F5 Access Policy Manager Clients?
CVE-2021-23002 affects F5 Access Policy Manager Clients versions 7.1.5 to 7.1.8.5, 7.1.9 to 7.1.9.8, and 7.2.1 to 7.2.1.1.
How does CVE-2021-23002 affect F5 Big-IP Access Policy Manager?
CVE-2021-23002 affects F5 Big-IP Access Policy Manager versions 11.6.1 to 11.6.5, 12.1.0 to 12.1.5, 13.1.0 to 13.1.3.6, 14.1.0 to 14.1.4, 15.1.0 to 15.1.2.1, and 16.0.0 to 16.0.1.1.
What is the severity of CVE-2021-23002?
CVE-2021-23002 has a severity rating of 4.5 (medium).
How can I fix CVE-2021-23002?
To fix CVE-2021-23002, upgrade to BIG-IP APM versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.x, or 11.6.x.
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/description
- agent/tags
- agent/type
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- vendor/f5
- canonical/f5 access policy manager clients
- version/f5 access policy manager clients/7.1.5
- version/f5 access policy manager clients/7.1.9
- version/f5 access policy manager clients/7.2.1
- canonical/f5 big-ip access policy manager
- version/f5 big-ip access policy manager/11.6.1
- version/f5 big-ip access policy manager/11.6.5
- version/f5 big-ip access policy manager/12.1.0
- version/f5 big-ip access policy manager/12.1.5
- version/f5 big-ip access policy manager/13.1.0
- version/f5 big-ip access policy manager/14.1.0
- version/f5 big-ip access policy manager/15.1.0
- version/f5 big-ip access policy manager/16.0.0