CVE-2020-5907

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 01-07-2020 05:15

Last modified: - 03-05-2022 03:59

Total changes: - 3

Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, an authorized user provided with access only to the TMOS Shell (tmsh) may be able to conduct arbitrary file read/writes via the built-in sftp functionality.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

High

Confidentiality

High

Integrity

High

Privileges required

Unchanged

Scope

None

User interaction

7.2

Base score

1.2

5.9

Exploitability score

Impact score

Verification logic

vendor=f5 AND product=big-ip_access_policy_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_access_policy_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_access_policy_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_access_policy_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_access_policy_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_advanced_firewall_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_advanced_firewall_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_advanced_firewall_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_advanced_firewall_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_advanced_firewall_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_analytics AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_analytics AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_analytics AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_analytics AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_analytics AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_application_acceleration_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_application_acceleration_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_application_acceleration_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_application_acceleration_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_application_acceleration_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_application_security_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_application_security_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_application_security_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_application_security_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_application_security_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_domain_name_system AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_domain_name_system AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_domain_name_system AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_domain_name_system AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_domain_name_system AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_fraud_protection_service AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_fraud_protection_service AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_fraud_protection_service AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_fraud_protection_service AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_fraud_protection_service AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_global_traffic_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.6.1

vendor=f5 AND product=big-ip_global_traffic_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_global_traffic_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_global_traffic_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_global_traffic_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_link_controller AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_link_controller AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_link_controller AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_link_controller AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_link_controller AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_local_traffic_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_local_traffic_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_local_traffic_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_local_traffic_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_local_traffic_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

vendor=f5 AND product=big-ip_policy_enforcement_manager AND versionEndIncluding=11.6.5 AND versionStartIncluding=11.5.2

vendor=f5 AND product=big-ip_policy_enforcement_manager AND versionEndIncluding=12.1.5 AND versionStartIncluding=12.1.0

vendor=f5 AND product=big-ip_policy_enforcement_manager AND versionEndIncluding=13.1.3 AND versionStartIncluding=13.1.0

vendor=f5 AND product=big-ip_policy_enforcement_manager AND versionEndIncluding=14.1.2 AND versionStartIncluding=14.1.0

vendor=f5 AND product=big-ip_policy_enforcement_manager AND versionEndIncluding=15.1.0 AND versionStartIncluding=15.0.0

Reference

https://support.f5.com/csp/article/K00091341
VU#290915-Third Party Advisory, US Government Resource

Keywords

CVE-2020-5907

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-5907

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures