CVE-2023-36858 : An insufficient verification of data vulnerability exists in BIG-IP Edge Client

An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published 2023-08-02 16:15:10

Updated 2023-08-08 17:13:56

Source F5 Networks

View at NVD, CVE.org

Products affected by CVE-2023-36858

F5 » Big-ip Access Policy Manager
Versions from including (>=) 17.0.0 and up to, including, (<=) 17.1.0
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
F5 » Big-ip Access Policy Manager
Versions from including (>=) 16.1.0 and up to, including, (<=) 16.1.3
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
F5 » Big-ip Access Policy Manager
Versions from including (>=) 14.1.0 and up to, including, (<=) 14.1.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
F5 » Big-ip Access Policy Manager
Versions from including (>=) 13.1.0 and up to, including, (<=) 13.1.5
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
F5 » Big-ip Access Policy Manager
Versions from including (>=) 15.1.0 and up to, including, (<=) 15.1.9
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A
F5 » Access Policy Manager Clients
Versions from including (>=) 7.2.3 and before (<) 7.2.4.3
cpe:2.3:a:f5:access_policy_manager_clients:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Macos » Version: N/A
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-36858

EPSS FAQ

0.07%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 22 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-36858

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.1	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	1.8	5.2	F5 Networks
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-36858

CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Assigned by: f5sirt@f5.com (Primary)

References for CVE-2023-36858

https://my.f5.com/manage/s/article/K000132563

BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-36858

Products affected by CVE-2023-36858

Exploit prediction scoring system (EPSS) score for CVE-2023-36858

CVSS scores for CVE-2023-36858

CWE ids for CVE-2023-36858

References for CVE-2023-36858