CVE-2014-8727

F5 BIG-IP 10.1.0 - Directory Traversal

Severity Score

4.4

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/jspmap/tmui/system/archive/properties.jsp or (2) tmui/Control/form.

Múltiples vulnerabilidades de salto de directorio en F5 BIG-IP anterior a 10.2.2 permite a usuarios locales con el rol de 'Administrador de recursos' o el de 'Administrador' enumerar y eliminar archivos de su elección mediante un .. (punto punto) en el nombre del parámetro a (1) mui/Control/jspmap/tmui/system/archive/properties.jsp o (2) tmui/Control/form.

F5 BIG-IP version 10.1.0 suffers from a directory traversal vulnerability that can allow an authenticated user the ability to delete any system file and enumerate their existence.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-11-10 CVE Reserved
2014-11-12 CVE Published
2014-11-12 First Exploit
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (9)

URL	Tag	Source
http://www.securityfocus.com/bid/71063	Vdb Entry
http://www.securitytracker.com/id/1031216	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/98676	Vdb Entry
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_11_0_0_ltm.html	X_refsource_confirm

URL	Date	SRC
https://packetstorm.news/files/id/129084	2014-11-12
https://www.exploit-db.com/exploits/35222	2014-11-13
http://packetstormsecurity.com/files/129084/F5-BIG-IP-10.1.0-Directory-Traversal.html	2024-08-06
http://www.exploit-db.com/exploits/35222	2024-08-06

URL	Date	SRC

URL	Date	SRC
https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13109.html	2017-09-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
F5 Search vendor "F5"		Big-ip Local Traffic Manager Search vendor "F5" for product "Big-ip Local Traffic Manager"				<= 10.2.1 Search vendor "F5" for product "Big-ip Local Traffic Manager" and version " <= 10.2.1"		-		Affected