CVE-2022-27636
Last modified
CVE-2022-27636 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Access Policy Manager | 11.6.1 |
| F5 | Big-Ip Access Policy Manager | 11.6.2 |
| F5 | Big-Ip Access Policy Manager | 11.6.3 |
| F5 | Big-Ip Access Policy Manager | 11.6.4 |
| F5 | Big-Ip Access Policy Manager | 11.6.5 |
| F5 | Big-Ip Access Policy Manager | 12.1.0 |
| F5 | Big-Ip Access Policy Manager | 12.1.1 |
| F5 | Big-Ip Access Policy Manager | 12.1.2 |
| F5 | Big-Ip Access Policy Manager | 12.1.3 |
| F5 | Big-Ip Access Policy Manager | 12.1.4 |
| F5 | Big-Ip Access Policy Manager | 12.1.5 |
| F5 | Big-Ip Access Policy Manager | 12.1.6 |
| F5 | Big-Ip Access Policy Manager | 13.1.0 |
| F5 | Big-Ip Access Policy Manager | 13.1.1 |
| F5 | Big-Ip Access Policy Manager | 13.1.2 |
| F5 | Big-Ip Access Policy Manager | 13.1.3 |
| F5 | Big-Ip Access Policy Manager | 13.1.4 |
| F5 | Big-Ip Access Policy Manager | 13.1.5 |
| F5 | Big-Ip Access Policy Manager | 14.1.0 |
| F5 | Big-Ip Access Policy Manager | 14.1.2 |
| F5 | Big-Ip Access Policy Manager | 14.1.3 |
| F5 | Big-Ip Access Policy Manager | 14.1.4 |
| F5 | Big-Ip Access Policy Manager | 15.1.0 |
| F5 | Big-Ip Access Policy Manager | 15.1.1 |
| F5 | Big-Ip Access Policy Manager | 15.1.2 |
| F5 | Big-Ip Access Policy Manager | 15.1.3 |
| F5 | Big-Ip Access Policy Manager | 15.1.4 |
| F5 | Big-Ip Access Policy Manager | 15.1.5 |
| F5 | Big-Ip Access Policy Manager | 16.1.0 |
| F5 | Big-Ip Access Policy Manager | 16.1.1 |
| F5 | Big-Ip Access Policy Manager | 16.1.2 |
| F5 | Big-Ip Access Policy Manager Client | >= 7.1.6, <= 7.2.1 |
References
- https://support.f5.com/csp/article/K57110035Vendor Advisory
- https://support.f5.com/csp/article/K57110035Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-27636?
How severe is CVE-2022-27636?
How do I fix CVE-2022-27636?
Are you affected by CVE-2022-27636?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST