CVE-2013-0150 — HIGH (9.3) — White Hats Nepal

Q: How severe is CVE-2013-0150?

CVE-2013-0150 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-0150?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Analytics, F5 Big-Ip Application Security Manager, F5 Big-Ip Edge Gateway.

Vulnerability Description

Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, FirePass 6.0.0 through 6.1.0 and 7.0.0, and other products "when APM is provisioned," allows remote attackers to upload and execute arbitrary files via a .. (dot dot) in the filename parameter.

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
F5	Big-Ip Access Policy Manager	>= 10.1.0, <= 10.2.4
F5	Big-Ip Advanced Firewall Manager	11.3.0
F5	Big-Ip Analytics	>= 11.0.0, <= 11.3.0
F5	Big-Ip Application Security Manager	>= 10.1.0, <= 10.2.4
F5	Big-Ip Edge Gateway	>= 10.1.0, <= 10.2.4
F5	Big-Ip Global Traffic Manager	>= 10.1.0, <= 10.2.4
F5	Big-Ip Link Controller	>= 10.1.0, <= 10.2.4
F5	Big-Ip Local Traffic Manager	>= 10.1.0, <= 10.2.4
F5	Big-Ip Policy Enforcement Manager	11.3.0
F5	Big-Ip Protocol Security Module	>= 10.1.0, <= 10.2.4
F5	Big-Ip Wan Optimization Manager	>= 10.1.0, <= 10.2.4
F5	Big-Ip Webaccelerator	>= 10.1.0, <= 10.2.4
F5	Firepass	>= 6.0.0, <= 6.1.0

Related Weaknesses (CWE)

CWE-22

References

http://secunia.com/advisories/53477Not ApplicableVendor Advisory
http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14468.htmlVendor Advisory
https://nealpoole.com/blog/2013/07/code-execution-via-f5-networks-java-applet/Third Party Advisory
http://secunia.com/advisories/53477Not ApplicableVendor Advisory
http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14468.htmlVendor Advisory
https://nealpoole.com/blog/2013/07/code-execution-via-f5-networks-java-applet/Third Party Advisory

FAQ

What is CVE-2013-0150?

CVE-2013-0150 is a vulnerability with a CVSS score of 9.3 (HIGH). Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, FirePass 6.0.0 through 6.1.0 and ...

How severe is CVE-2013-0150?

CVE-2013-0150 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-0150?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Analytics, F5 Big-Ip Application Security Manager, F5 Big-Ip Edge Gateway.