Lucene search

K

SSL Visibility Security Vulnerabilities

cve
cve

CVE-2023-46747

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS).....

9.8CVSS

9.7AI Score

0.972EPSS

2023-10-26 09:15 PM
285
In Wild
cve
cve

CVE-2023-46748

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software...

8.8CVSS

9.4AI Score

0.007EPSS

2023-10-26 09:15 PM
177
In Wild
cve
cve

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October...

7.5CVSS

8AI Score

0.732EPSS

2023-10-10 02:15 PM
2890
In Wild
cve
cve

CVE-2023-45219

Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS)...

4.4CVSS

4.9AI Score

0.0004EPSS

2023-10-10 01:15 PM
31
cve
cve

CVE-2023-41085

When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not...

7.5CVSS

7.5AI Score

0.0005EPSS

2023-10-10 01:15 PM
35
cve
cve

CVE-2023-43746

When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which...

8.7CVSS

8.3AI Score

0.001EPSS

2023-10-10 01:15 PM
43
cve
cve

CVE-2023-41964

The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. Note: Software versions which have reached End of Technical Support (EoTS) are not...

6.5CVSS

6.5AI Score

0.0005EPSS

2023-10-10 01:15 PM
39
cve
cve

CVE-2023-43485

When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log. Note: Software versions which have reached End of Technical Support (EoTS) are not...

5.5CVSS

5.8AI Score

0.0004EPSS

2023-10-10 01:15 PM
37
cve
cve

CVE-2023-41373

A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software...

9.9CVSS

9.3AI Score

0.002EPSS

2023-10-10 01:15 PM
43
cve
cve

CVE-2023-42768

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource. Note:...

7.2CVSS

7AI Score

0.001EPSS

2023-10-10 01:15 PM
32
cve
cve

CVE-2023-43611

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418. Note: Software versions which have reached End of Technical Support (EoTS) are not...

7.8CVSS

7.5AI Score

0.0004EPSS

2023-10-10 01:15 PM
40
cve
cve

CVE-2023-40534

When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached...

7.5CVSS

7.6AI Score

0.0005EPSS

2023-10-10 01:15 PM
44
cve
cve

CVE-2023-40542

When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not...

7.5CVSS

7.5AI Score

0.0005EPSS

2023-10-10 01:15 PM
38
cve
cve

CVE-2023-40537

An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. Note: Software versions which have reached End of Technical Support (EoTS) are not...

8.1CVSS

7.9AI Score

0.001EPSS

2023-10-10 01:15 PM
39
cve
cve

CVE-2023-38138

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not...

7.5CVSS

5.9AI Score

0.0005EPSS

2023-08-02 04:15 PM
44
cve
cve

CVE-2023-3470

Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information...

6.1CVSS

6.2AI Score

0.001EPSS

2023-08-02 04:15 PM
20
cve
cve

CVE-2023-38423

A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not...

5.4CVSS

5.3AI Score

0.0004EPSS

2023-08-02 04:15 PM
23
cve
cve

CVE-2023-38419

An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not...

4.3CVSS

4.8AI Score

0.0004EPSS

2023-08-02 04:15 PM
2340
cve
cve

CVE-2023-29163

When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not...

7.5CVSS

7.5AI Score

0.001EPSS

2023-05-03 03:15 PM
15
cve
cve

CVE-2023-27378

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not.....

7.5CVSS

6.2AI Score

0.0005EPSS

2023-05-03 03:15 PM
21
cve
cve

CVE-2023-24594

When an SSL profile is configured on a Virtual Server, undisclosed traffic can cause an increase in CPU or SSL accelerator resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not...

5.3CVSS

5.6AI Score

0.0005EPSS

2023-05-03 03:15 PM
21
cve
cve

CVE-2023-28406

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained. Note:...

4.3CVSS

4.6AI Score

0.0005EPSS

2023-05-03 03:15 PM
17
cve
cve

CVE-2022-41983

On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even.....

3.7CVSS

4.5AI Score

0.001EPSS

2022-10-19 10:15 PM
39
3
cve
cve

CVE-2002-20001

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. The client needs very little CPU...

7.5CVSS

7.3AI Score

0.01EPSS

2021-11-11 07:15 PM
187
2
cve
cve

CVE-2017-15533

Symantec SSL Visibility (SSLV) 3.8.4FC, 3.10 prior to 3.10.4.1, 3.11, and 3.12 prior to 3.12.2.1 are vulnerable to the Return of the Bleichenbacher Oracle Threat (ROBOT) attack. All affected SSLV versions act as weak oracles according the oracle classification used in the ROBOT research paper. A...

5.9CVSS

5.5AI Score

0.002EPSS

2018-05-17 01:29 PM
29
cve
cve

CVE-2016-10259

Symantec SSL Visibility (SSLV) 3.8.4FC, 3.9, 3.10 before 3.10.4.1, and 3.11 before 3.11.3.1 is susceptible to a denial-of-service vulnerability that impacts the SSL servers for intercepted SSL connections. A malicious SSL client can, under certain circumstances, temporarily exhaust the TCP...

5.9CVSS

5.7AI Score

0.003EPSS

2017-04-11 02:59 PM
21
cve
cve

CVE-2015-4138

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive...

6.1AI Score

0.004EPSS

2015-05-30 07:59 PM
18
cve
cve

CVE-2015-2854

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME...

6.7AI Score

0.004EPSS

2015-05-30 07:59 PM
25
cve
cve

CVE-2015-2855

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not set the secure flag for the administrator's cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its...

6.5AI Score

0.004EPSS

2015-05-30 07:59 PM
21
cve
cve

CVE-2015-2853

Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session...

6.9AI Score

0.006EPSS

2015-05-30 07:59 PM
25
cve
cve

CVE-2015-2852

Cross-site request forgery (CSRF) vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack the authentication of...

7.3AI Score

0.001EPSS

2015-05-30 07:59 PM
20