CVE-2019-19151
MEDIUM WAF: Low
CVSS 5.5
Published: 2019-12-23
CWE-269
On BIG-IP versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, BIG-IQ versions 7.0.0, 6.0.0-6.1.0, and 5.0.0-5.4.0, iWorkflow version 2.3.0, and Enterprise Manager version 3.1.1, authenticated users granted TMOS Shell (tmsh) privileges are able access objects on the file system which would normally be disallowed by tmsh restrictions. This allows for authenticated, low privileged attackers to access objects on the file system which would not normally be allowed.
WAF Coverage Analysis
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| f5 | big-iq_centralized_management | 5.0.0 - 5.4.0 |
| f5 | big-iq_centralized_management | 6.0.0 - 6.1.0 |
| f5 | big-iq_centralized_management | 7.0.0 |
| f5 | big-ip_access_policy_manager | 11.5.1 - 11.6.5 |
| f5 | big-ip_access_policy_manager | 12.1.0 - 12.1.5 |
| f5 | big-ip_access_policy_manager | 13.0.0 - 13.1.3 |
| f5 | big-ip_access_policy_manager | 14.0.0 - 14.1.2 |
| f5 | big-ip_access_policy_manager | 15.0.0 - 15.1.0 |
| f5 | big-ip_advanced_firewall_manager | 11.5.1 - 11.6.5 |
| f5 | big-ip_advanced_firewall_manager | 12.1.0 - 12.1.5 |
References
- support.f5.com (Vendor Advisory)