CVE-2024-26026 - Vulnerability Details - OpenCVE

An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.87823.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
F5	Big-ip Next Central Manager

Configuration 1 [-]

cpe:2.3:a:f5:big-ip_next_central_manager:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://my.f5.com/manage/s/article/K000138733

History

Thu, 12 Dec 2024 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-89
CPEs		cpe:2.3:a:f5:big-ip_next_central_manager::::::::

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2024-05-08T15:01:28.771Z

Updated: 2024-08-01T23:59:31.336Z

Reserved: 2024-04-24T21:34:51.145Z

Link: CVE-2024-26026

Vulnrichment

Updated: 2024-05-08T16:33:49.366Z

NVD

Status : Analyzed

Published: 2024-05-08T15:15:08.623

Modified: 2024-12-12T19:04:05.373

Link: CVE-2024-26026

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26026", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-04-24T21:34:51.145Z", "datePublished": "2024-05-08T15:01:28.771Z", "dateUpdated": "2024-08-01T23:59:31.336Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "BIG-IP Next Central Manager", "vendor": "F5", "versions": [{"lessThan": "20.2.0", "status": "affected", "version": "20.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "F5 acknowledges Vladyslav Babkin of Eclypsium for bringing this issue to our attention and following the highest standards of coordinated disclosure."}], "datePublic": "2024-05-08T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n</span>"}], "value": "\n\n\nAn SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-05-08T15:01:28.771Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000138733"}], "source": {"discovery": "EXTERNAL"}, "title": "BIG-IP Central Manager SQL Injection", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-08T16:30:53.526368Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:f5:big-ip_next_central_manager:20.0.1:*:*:*:*:*:*:*"], "vendor": "f5", "product": "big-ip_next_central_manager", "versions": [{"status": "affected", "version": "20.0.1", "lessThan": "20.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:49:06.557Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:59:31.336Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000138733"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26026", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-04-24T21:34:51.145Z", "datePublished": "2024-05-08T15:01:28.771Z", "dateUpdated": "2024-06-04T17:49:06.557Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "BIG-IP Next Central Manager", "vendor": "F5", "versions": [{"lessThan": "20.2.0", "status": "affected", "version": "20.0.1", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "F5 acknowledges Vladyslav Babkin of Eclypsium for bringing this issue to our attention and following the highest standards of coordinated disclosure."}], "datePublic": "2024-05-08T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n</span>"}], "value": "\n\n\nAn SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-05-08T15:01:28.771Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000138733"}], "source": {"discovery": "EXTERNAL"}, "title": "BIG-IP Central Manager SQL Injection", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-08T16:30:53.526368Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:f5:big-ip_next_central_manager:20.0.1:*:*:*:*:*:*:*"], "vendor": "f5", "product": "big-ip_next_central_manager", "versions": [{"status": "affected", "version": "20.0.1", "lessThan": "20.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-08T16:33:49.366Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_next_central_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "6374E209-0433-4CFF-A5C7-A9DA884F3E31", "versionEndExcluding": "20.2.0", "versionStartIncluding": "20.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\nAn SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated\n\n"}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n SQL en la API (URI) de BIG-IP Next Central Manager. Nota: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan"}], "id": "CVE-2024-26026", "lastModified": "2024-12-12T19:04:05.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-08T15:15:08.623", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138733"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138733"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "f5sirt@f5.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}