Skip to main content

Incorrect Permission Assignment for Critical Resource


Severity Medium
Score 4.9/10


On F5 BIG-IP 16.1.x versions prior to, 15.1.x versions prior to, 14.1.x versions prior to, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, an authenticated, high-privileged attacker with no bash access may be able to access Certificate and Key files using Secure Copy (SCP) protocol from a remote system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

  • LOW
  • NONE
  • NONE
  • HIGH
  • HIGH
  • NONE

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.


Advisory Timeline

  • Published