BIG-IP iControl REST vulnerability

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

不充分的会话过期机制

F5 BIG-IP 代码问题漏洞

F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在代码问题漏洞，该漏洞源于当通过 iControl REST PUT 请求为非管理员用户分配管理员角色后，该用户的角色将通过配置实用程序、tmsh 或 iControl REST 恢复为非管理员角色。 BIG-IP 非管理员用户仍然可以访问 iControl REST 管理资源。

N/A

N/A