Vulnerability Description
On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher texts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Access Policy Manager | >= 11.6.1, <= 11.6.3 |
Related Weaknesses (CWE)
References
- http://sbudella.altervista.org/blog/20180911-cve-2018-5548.htmlExploitTechnical DescriptionThird Party Advisory
- http://www.securityfocus.com/bid/105353Third Party AdvisoryVDB Entry
- https://support.f5.com/csp/article/K66171422Vendor Advisory
- http://sbudella.altervista.org/blog/20180911-cve-2018-5548.htmlExploitTechnical DescriptionThird Party Advisory
- http://www.securityfocus.com/bid/105353Third Party AdvisoryVDB Entry
- https://support.f5.com/csp/article/K66171422Vendor Advisory
FAQ
What is CVE-2018-5548?
CVE-2018-5548 is a vulnerability with a CVSS score of 6.1 (MEDIUM). On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to...
How severe is CVE-2018-5548?
CVE-2018-5548 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5548?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager.