CVE-2020-5906

moderate-risk

Published 2020-07-01

In versions 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, the BIG-IP system does not properly enforce the access controls for the scp.blacklist files. This allows Admin and Resource Admin users with Secure Copy (SCP) protocol access to read and overwrite blacklisted files via SCP.

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / LOW complexity

Affected Products (11)

Big-Ip Access Policy Manager

Big-Ip Advanced Firewall Manager

Big-Ip Analytics

Big-Ip Application Acceleration Manager

Big-Ip Application Security Manager

Big-Ip Domain Name System

Big-Ip Fraud Protection Service

Big-Ip Global Traffic Manager

Big-Ip Link Controller

Big-Ip Local Traffic Manager

Big-Ip Policy Enforcement Manager

Affected Vendors

References (4)

Vendor Advisory https://support.f5.com/csp/article/K82518062

Third Party Advisory https://www.kb.cert.org/vuls/id/290915

Vendor Advisory https://support.f5.com/csp/article/K82518062

Third Party Advisory https://www.kb.cert.org/vuls/id/290915

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 1/34 · Minimal

Exposure 16/34 · Moderate