CVE-2013-0150 : Directory traversal vulnerability in an unspecified signed Java applet in the cl

Directory traversal vulnerability in an unspecified signed Java applet in the client-side components in F5 BIG-IP APM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, FirePass 6.0.0 through 6.1.0 and 7.0.0, and other products "when APM is provisioned," allows remote attackers to upload and execute arbitrary files via a .. (dot dot) in the filename parameter.

Published 2013-08-09 20:56:07

Updated 2023-12-14 16:08:02

Source CERT/CC

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2013-0150

F5 » Big-ip Local Traffic Manager
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Local Traffic Manager
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Global Traffic Manager
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Application Security Manager
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Webaccelerator
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Wan Optimization Manager
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Wan Optimization Manager
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_wan_optimization_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Edge Gateway
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Protocol Security Module
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Protocol Security Module
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_protocol_security_module:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 10.1.0 and up to, including, (<=) 10.2.4
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Link Controller
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Analytics
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.3.0
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
Matching versions
F5 » Firepass
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.1.0
cpe:2.3:a:f5:firepass:*:*:*:*:*:*:*:*
Matching versions
F5 » Firepass » Version: 7.0.0
cpe:2.3:a:f5:firepass:7.0.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Advanced Firewall Manager » Version: 11.3.0
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:11.3.0:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Policy Enforcement Manager » Version: 11.3.0
cpe:2.3:a:f5:big-ip_policy_enforcement_manager:11.3.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-0150

EPSS FAQ

1.38%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 79 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-0150

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-0150

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0150

http://secunia.com/advisories/53477

Sign in
Not Applicable;Vendor Advisory
http://support.f5.com/kb/en-us/solutions/public/14000/400/sol14468.html

Vendor Advisory
https://nealpoole.com/blog/2013/07/code-execution-via-f5-networks-java-applet/

Code Execution via F5 Networks Java Appplet » Neal Poole
Third Party Advisory

Jump to

Vulnerability Details : CVE-2013-0150

Products affected by CVE-2013-0150

Exploit prediction scoring system (EPSS) score for CVE-2013-0150

CVSS scores for CVE-2013-0150

CWE ids for CVE-2013-0150

References for CVE-2013-0150