CVE-2024-21782 | ByteOS Network

Vulnerability Details :

CVE-2024-21782

Assigner-f5

Assigner Org ID-9dacffd4-cb11-413f-8451-fbbfd4ddc0ab

Published At-14 Feb, 2024 | 16:30

Updated At-12 May, 2025 | 15:06

BIG-IP and BIG-IQ secure copy vulnerability

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:f5

Assigner Org ID:9dacffd4-cb11-413f-8451-fbbfd4ddc0ab

Published At:14 Feb, 2024 | 16:30

Updated At:12 May, 2025 | 15:06

▼CVE Numbering Authority (CNA)

BIG-IP and BIG-IQ secure copy vulnerability

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected Products

Vendor

Product

Modules

All Modules

Default Status

unknown

Versions

Affected

From 17.1.0 before 17.1.1 (custom)
From 16.1.0 before 16.1.4 (custom)
From 15.1.0 before 15.1.9 (custom)

Vendor

Product

Modules

Centralized Management

Default Status

unknown

Versions

Affected

From 8.0.0 before * (custom)
- -> unaffectedfromHotfix-BIG-IQ-8.3.0.0.16.118-ENG.iso

Problem Types

Type	CWE ID	Description
CWE	CWE-78	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Type: CWE

CWE ID: CWE-78

Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Metrics

Version	Base score	Base severity	Vector
3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Credits

finder

F5

References

Hyperlink	Resource
https://my.f5.com/manage/s/article/K98606833	vendor-advisory

Hyperlink: https://my.f5.com/manage/s/article/K98606833

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://my.f5.com/manage/s/article/K98606833	vendor-advisory x_transferred

Hyperlink: https://my.f5.com/manage/s/article/K98606833

Resource:

vendor-advisory

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:f5sirt@f5.com

Published At:14 Feb, 2024 | 17:15

Updated At:23 Jan, 2025 | 19:47

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary	3.1	6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 6.7

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CPE Matches

>>big-ip_access_policy_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*

>>big-ip_access_policy_manager>>17.1.0

cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*

>>big-iq_centralized_management>>Versions from 8.0.0(inclusive) to 8.3.0(inclusive)

cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*

>>big-ip_advanced_firewall_manager>>17.1.0

cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*

>>big-ip_analytics>>17.1.0

cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*

>>big-ip_application_acceleration_manager>>17.1.0

cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*

>>big-ip_application_security_manager>>17.1.0

cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*

>>big-ip_domain_name_system>>17.1.0

cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*

>>big-ip_fraud_protection_service>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

>>big-ip_fraud_protection_service>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*

>>big-ip_fraud_protection_service>>17.1.0

cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*

>>big-ip_global_traffic_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

>>big-ip_global_traffic_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*

>>big-ip_global_traffic_manager>>17.1.0

cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*

>>big-ip_link_controller>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

>>big-ip_link_controller>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*

>>big-ip_link_controller>>17.1.0

cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*

>>big-ip_local_traffic_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

>>big-ip_local_traffic_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

>>big-ip_local_traffic_manager>>17.1.0

cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*

>>big-ip_policy_enforcement_manager>>Versions from 15.1.0(inclusive) to 15.1.9(exclusive)

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

>>big-ip_policy_enforcement_manager>>Versions from 16.1.0(inclusive) to 16.1.4(exclusive)

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*

>>big-ip_policy_enforcement_manager>>17.1.0

cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-78	Secondary	f5sirt@f5.com
CWE-78	Primary	nvd@nist.gov

CWE ID: CWE-78

Type: Secondary

Source: f5sirt@f5.com

CWE ID: CWE-78

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
https://my.f5.com/manage/s/article/K98606833	f5sirt@f5.com	Vendor Advisory
https://my.f5.com/manage/s/article/K98606833	af854a3a-2127-422b-91ae-364da2661108	Vendor Advisory

Hyperlink: https://my.f5.com/manage/s/article/K98606833

Source: f5sirt@f5.com

Resource:

Vendor Advisory

Hyperlink: https://my.f5.com/manage/s/article/K98606833

Source: af854a3a-2127-422b-91ae-364da2661108

Resource:

Vendor Advisory