Vulnerability Description
On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Access Policy Manager | 13.1.0 |
| F5 | Big-Ip Advanced Web Application Firewall | 13.1.0 |
| F5 | Big-Ip Application Security Manager | 13.1.0 |
| F5 | Big-Ip Guided Configuration | < 9.0 |
Related Weaknesses (CWE)
References
- https://support.f5.com/csp/article/K68647001Vendor Advisory
- https://support.f5.com/csp/article/K68647001Vendor Advisory
FAQ
What is CVE-2022-27806?
CVE-2022-27806 is a vulnerability with a CVSS score of 8.7 (HIGH). On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Applia...
How severe is CVE-2022-27806?
CVE-2022-27806 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-27806?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Application Security Manager, F5 Big-Ip Guided Configuration.