CVE-2021-22980 : In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7

In Edge Client version 7.2.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, and 7.1.x-7.1.8.x before 7.1.8.5, an untrusted search path vulnerability in the BIG-IP APM Client Troubleshooting Utility (CTU) for Windows could allow an attacker to load a malicious DLL library from its current directory. User interaction is required to exploit this vulnerability in that the victim must run this utility on the Windows system. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Published 2021-02-12 18:15:13

Updated 2021-02-19 17:57:27

Source F5 Networks

View at NVD, CVE.org

Vulnerability category: File inclusion

Products affected by CVE-2021-22980

F5 » Big-ip Access Policy Manager
Versions from including (>=) 11.6.1 and up to, including, (<=) 11.6.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 15.1.0 and up to, including, (<=) 15.1.2
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 12.1.0 and up to, including, (<=) 12.1.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 13.1.0 and before (<) 13.1.3.6
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 16.0.0 and before (<) 16.0.1.1
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Big-ip Access Policy Manager
Versions from including (>=) 14.1.0 and up to, including, (<=) 14.1.3
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
F5 » Access Policy Manager Clients
Versions from including (>=) 7.1.9 and before (<) 7.1.9.8
cpe:2.3:a:f5:access_policy_manager_clients:*:*:*:*:*:*:*:*
Matching versions
F5 » Access Policy Manager Clients
Versions from including (>=) 7.1.5 and before (<) 7.1.8.5
cpe:2.3:a:f5:access_policy_manager_clients:*:*:*:*:*:*:*:*
Matching versions
F5 » Access Policy Manager Clients
Versions from including (>=) 7.2.1 and before (<) 7.2.1.1
cpe:2.3:a:f5:access_policy_manager_clients:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-22980

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22980

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-22980

CWE-426 Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-22980

https://support.f5.com/csp/article/K29282483

Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-22980

Products affected by CVE-2021-22980

Exploit prediction scoring system (EPSS) score for CVE-2021-22980

CVSS scores for CVE-2021-22980

CWE ids for CVE-2021-22980

References for CVE-2021-22980