On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Published 2021-03-31 18:15:15
Updated 2022-07-12 17:42:04
Source F5 Networks
View at NVD,   CVE.org
Vulnerability category: OverflowInput validationExecute codeDenial of service

CVE-2021-22991 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
F5 BIG-IP Traffic Management Microkernel Buffer Overflow
CISA required action:
Apply updates per vendor instructions.
CISA description:
The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.
Added on 2022-01-18 Action due date 2022-02-01

Exploit prediction scoring system (EPSS) score for CVE-2021-22991

84.54%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-22991

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.8
MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:P
8.6
6.4
NIST
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2021-22991

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-22991

Products affected by CVE-2021-22991

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!