CVE-2023-22374
Published: 01 February 2023
Summary
CVE-2023-22374 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.5 (High).
Operationally, ranked in the top 14.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A format string vulnerability exists in the iControl SOAP component of F5 BIG-IP, tracked as CVE-2023-22374. The flaw, categorized under CWE-134, permits an authenticated attacker to crash the iControl SOAP CGI process or potentially execute arbitrary code. In appliance mode, successful exploitation can enable crossing a security boundary. The issue carries a CVSS 3.1 score of 8.5 and affects versions that have not reached end of technical support.
An authenticated attacker with network access can supply crafted input to trigger the vulnerability. Depending on the environment, this may result in denial of service through process crashes or, in some cases, arbitrary code execution that crosses security boundaries on BIG-IP appliances.
F5 has published mitigation guidance in knowledge base article K000130415, which practitioners should consult for patch availability and configuration recommendations specific to their BIG-IP deployments. The EPSS score reached a peak of 0.0583 before receding to its current value of 0.0232.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26537
Vulnerability details
A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to…
more
cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.