CVE-2023-28406 — MEDIUM (4.3)

Q: How severe is CVE-2023-28406?

CVE-2023-28406 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-28406?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager.

Vulnerability Description

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
F5	Big-Ip Access Policy Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Advanced Firewall Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Advanced Web Application Firewall	>= 13.1.0, <= 13.1.5
F5	Big-Ip Analytics	>= 13.1.0, <= 13.1.5
F5	Big-Ip Application Acceleration Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Application Security Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Application Visibility And Reporting	>= 13.1.0, <= 13.1.5
F5	Big-Ip Carrier-Grade Nat	>= 13.1.0, <= 13.1.5
F5	Big-Ip Ddos Hybrid Defender	>= 13.1.0, <= 13.1.5
F5	Big-Ip Domain Name System	>= 13.1.0, <= 13.1.5
F5	Big-Ip Edge Gateway	>= 13.1.0, <= 13.1.5
F5	Big-Ip Fraud Protection Service	>= 13.1.0, <= 13.1.5
F5	Big-Ip Global Traffic Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Link Controller	>= 13.1.0, <= 13.1.5
F5	Big-Ip Local Traffic Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Policy Enforcement Manager	>= 13.1.0, <= 13.1.5
F5	Big-Ip Ssl Orchestrator	>= 13.1.0, <= 13.1.5
F5	Big-Ip Webaccelerator	>= 13.1.0, <= 13.1.5
F5	Big-Ip Websafe	>= 13.1.0, <= 13.1.5

Related Weaknesses (CWE)

CWE-22

References

https://my.f5.com/manage/s/article/K000132768Vendor Advisory
https://my.f5.com/manage/s/article/K000132768Vendor Advisory

FAQ

What is CVE-2023-28406?

CVE-2023-28406 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted ...

How severe is CVE-2023-28406?

CVE-2023-28406 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28406?

Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Advanced Web Application Firewall, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager.