CVE-2024-21793
Published: 08 May 2024
Summary
CVE-2024-21793 is a high-severity SQL Injection (CWE-89) vulnerability in F5 Big-Ip Next Central Manager. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-21793 is an OData injection vulnerability in the URI handling of the BIG-IP Next Central Manager API. The flaw is tracked under CWE-89 and affects F5 BIG-IP Next Central Manager installations that remain under support; versions that have reached End of Technical Support are excluded from evaluation. It carries a CVSS 3.1 base score of 7.5.
An unauthenticated attacker with network access can supply crafted input to the affected API endpoint, resulting in unauthorized disclosure of sensitive information. The attack requires no user interaction or credentials and impacts only confidentiality.
F5 has published advisory K000138732, which details the affected releases and recommended remediation steps. The current and peak EPSS scores are both 0.8711, indicating elevated exploitation probability without a post-disclosure rise from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19407
Vulnerability details
An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.