On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x prior to 16.1.1, 15.1.x prior to 15.1.4, and 14.1.x prior to 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged malicious user to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
f5 big-ip advanced web application firewall |
||
f5 big-ip application security manager |
||
f5 big-ip fraud protection service |