CVE-2023-28406: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2023-28406) was discovered in an undisclosed page of the BIG-IP Configuration utility. The vulnerability affects BIG-IP systems including versions 13.1.0-13.1.5, 14.1.0-14.1.5.4, 15.1.0-15.1.8.2, and 16.1.0-16.1.3.4. This security flaw was disclosed on May 3, 2023 (NVD).

The vulnerability allows an authenticated attacker with network access to read files with .xml extension through directory traversal. The access to restricted information is limited, and the attacker does not control what information is obtained. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, and low impact on confidentiality (NVD).

The vulnerability primarily affects the confidentiality of the system by allowing unauthorized access to .xml files. The impact is considered low as the access to restricted information is limited and the attacker cannot control what information is obtained (NVD).

F5 has released security patches to address this vulnerability. Users should upgrade to the latest supported versions of BIG-IP that contain fixes for this issue. The specific details about the patches can be found in F5's security advisory (F5 Advisory).