CVE-2023-22341 HIGH

CVE-2023-22341: BIG-IP APM OAuth vulnerability

Vendor F5

Product BIG-IP

Weakness CWE-476

Published February 1, 2023

Last update March 26, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to '/' * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Key dates

02Disclosure timeline

February 1, 2023 CVE published

March 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-22341 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/476.html

Related vulnerabilities

Identifiers

CVE CVE-2023-22341

CWE CWE-476

CVSS 7.5 / HIGH

Affected versions

Vendor F5

Product BIG-IP

Affected ≥ 14.1.0 and < 14.1.5.3

Vendor F5

Product BIG-IP

Affected ≥ 13.1.0 and < *

CVE-2023-22341: BIG-IP APM OAuth vulnerability

01Description

02Disclosure timeline

03References

04Related CVE