CVE-2022-41835 - Vulnerability Details - OpenCVE

In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
F5	F5os-a F5os-c

Configuration 1 [-]

OR	cpe:2.3:o:f5:f5os-a::::::::
	cpe:2.3:o:f5:f5os-c::::::::

No data.

References

Link	Providers
https://support.f5.com/csp/article/K33484483

History

Wed, 07 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2022-10-19T21:24:53.599Z

Updated: 2025-05-07T20:52:17.700Z

Reserved: 2022-09-30T00:00:00.000Z

Link: CVE-2022-41835

Vulnrichment

Updated: 2024-08-03T12:56:38.001Z

NVD

Status : Modified

Published: 2022-10-19T22:15:13.470

Modified: 2024-11-21T07:23:54.193

Link: CVE-2022-41835

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41835", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "assignerShortName": "f5", "datePublished": "2022-10-19T21:24:53.599Z", "dateUpdated": "2025-05-07T20:52:17.700Z", "dateReserved": "2022-09-30T00:00:00.000Z"}, "containers": {"cna": {"title": "F5OS vulnerability CVE-2022-41835", "datePublic": "2022-10-19T00:00:00.000Z", "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2022-10-19T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller."}], "affected": [{"vendor": "F5", "product": "F5OS-A", "versions": [{"version": "1.x", "status": "affected", "lessThan": "1.1.0", "versionType": "custom"}]}, {"vendor": "F5", "product": "F5OS-C", "versions": [{"version": "1.x", "status": "affected", "lessThan": "1.5.0", "versionType": "custom"}]}], "references": [{"url": "https://support.f5.com/csp/article/K33484483"}], "credits": [{"lang": "en", "value": "This issue was discovered internally by F5."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "INTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.001Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.f5.com/csp/article/K33484483", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T20:52:06.911654Z", "id": "CVE-2022-41835", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T20:52:17.700Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.f5.com/csp/article/K33484483", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:56:38.001Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-41835", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T20:52:06.911654Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T20:52:11.669Z"}}], "cna": {"title": "F5OS vulnerability CVE-2022-41835", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "value": "This issue was discovered internally by F5."}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "F5", "product": "F5OS-A", "versions": [{"status": "affected", "version": "1.x", "lessThan": "1.1.0", "versionType": "custom"}]}, {"vendor": "F5", "product": "F5OS-C", "versions": [{"status": "affected", "version": "1.x", "lessThan": "1.5.0", "versionType": "custom"}]}], "datePublic": "2022-10-19T00:00:00.000Z", "references": [{"url": "https://support.f5.com/csp/article/K33484483"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2022-10-19T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-41835", "state": "PUBLISHED", "dateUpdated": "2025-05-07T20:52:17.700Z", "dateReserved": "2022-09-30T00:00:00.000Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2022-10-19T21:24:53.599Z", "assignerShortName": "f5"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:f5:f5os-a:*:*:*:*:*:*:*:*", "matchCriteriaId": "C88AF594-4D48-4A55-BE21-60391E77AAE7", "versionEndExcluding": "1.1.0", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:f5:f5os-c:*:*:*:*:*:*:*:*", "matchCriteriaId": "93D6CFC6-2131-4113-9E30-8400EBA5AA77", "versionEndExcluding": "1.5.0", "versionStartExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In F5OS-A version 1.x before 1.1.0 and F5OS-C version 1.x before 1.5.0, excessive file permissions in F5OS allows an authenticated local attacker to execute limited set of commands in a container and impact the F5OS controller."}, {"lang": "es", "value": "En F5OS-A versiones 1.x y anteriores a 1.1.0 y en versi\u00f3n 1.x de F5OS-C anteriores a 1.5.0, un exceso de permisos de archivos en F5OS permite a un atacante local autenticado ejecutar un conjunto limitado de comandos en un contenedor y afectar al controlador de F5OS"}], "id": "CVE-2022-41835", "lastModified": "2024-11-21T07:23:54.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 4.7, "source": "f5sirt@f5.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-19T22:15:13.470", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K33484483"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.f5.com/csp/article/K33484483"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}