6390 matches found
K14027805: Apache vulnerability CVE-2017-15710
Security Advisory Description In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, modauthnzldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is n...
K98009539: PHP/PCRE vulnerability CVE-2016-1283
Security Advisory Description The pcrecompile2 function in pcrecompile.c in PCRE 8.38 mishandles the /?:F?+?:^?Ra+"99-?J?R?R?RR?R\97?J?J?R?R\99|:?|?R\kR|?RHRRHR/ pattern and related patterns with named subgroups, which allows remote attackers to cause a denial of service heap-based buffer...
K04665443: OpenSSH vulnerability CVE-2021-36368
Security Advisory Description DISPUTED An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to support the None authentication option, then the user cann...
K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027
Security Advisory Description When a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. CVE-2022-23027 Impact Traffic is disrupted for new client...
SOL14054 - CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929
Vulnerability Recommended Actions To eliminate this vulnerability, perform one of the following actions: Upgrade to a software version that is listed in the Versions known to be Not Vulnerable column of the table. Upgrade your client browser to a non-vulnerable version. Supplemental Information...
K16090693: Apache HTTP server vulnerability CVE-2021-44224
Security Advisory Description A crafted URI sent to httpd configured as a forward proxy ProxyRequests on can cause a crash NULL pointer dereference or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint...
K93135205: Apache Struts 2 vulnerability CVE-2016-4436
Security Advisory Description Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. CVE-2016-4436 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status...
K55580033: iControl REST vulnerability CVE-2022-35728
Security Advisory Description An authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. CVE-2022-35728 Impact A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user's iControl REST...
K50343021: Node-vm2 vulnerability CVE-2022-36067
Security Advisory Description vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was...
K52340447: F5 ePVA vulnerability CVE-2022-28705
Security Advisory Description On platforms with an ePVA and the pva.fwdaccel BigDB variable enabled, undisclosed requests to a virtual server with a FastL4 profile that has ePVA acceleration enabled can cause the Traffic Management Microkernel TMM process to terminate. CVE-2022-28705 Impact Traff...
K07538415: Multiple OpenSSL vulnerabilities
Security Advisory Description On May 3, 2016, OpenSSL announced the discovery of the following vulnerabilities: CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176 For the complete announcement from OpenSSL, refer to OpenSSL Security Advisory 3rd May 2016. Note :...
SOL07538415 - Multiple OpenSSL vulnerabilities
Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4918: Overview of the F5 critical issue hotfix policy...
SOL16128 - Microsoft Schannel vulnerability CVE-2014-6321
Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
SOL15640 - GNU C Library (glibc) vulnerabilities CVE-2014-0475, CVE-2014-5119, CVE-2013-4458
Most ARX components are based on GNU C library code. Recommended action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no...
K000161377: NGINX ngx_http_rewrite_module vulnerability CVE-2026-9256
Security Advisory Description NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttprewritemodule module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression PCRE captures for example, ^/.$ and a...
K19473898: Expat vulnerabilities CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, and CVE-2022-25315
Security Advisory Description CVE-2022-23852 Expat aka libexpat before 2.4.4 has a signed integer overflow in XMLGetBuffer, for configurations with a nonzero XMLCONTEXTBYTES. CVE-2022-25235 xmltokimpl.c in Expat aka libexpat before 2.4.5 lacks certain validation of encoding, such as checks for...
K37681312: PHP vulnerability CVE-2019-9020
Security Advisory Description An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpcdecode can lead to an invalid memory access heap out of bounds read or read after free. This is related to xmlelemparsebu...
K46011592: HTTP/2 Empty Frames Flood vulnerability CVE-2019-9518
Security Advisory Description Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or...
K40663742: OpenSSH vulnerability CVE-2004-1653
Security Advisory Description The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS. CVE-2004-1653 Impact There is no impact; F5 products are not...
SOL35799130 - Multiple PHP vulnerabilities
Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
SOL56138200 - PHP vulnerability CVE-2016-3078
Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
K000156572: Quarterly Security Notification (October 2025)
Security Advisory Description On October 15, 2025, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associate...
K64921482: Apache Tomcat vulnerability CVE-2018-11784
Security Advisory Description When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory e.g. redirecting to '/foo/' when the user requested '/foo' a specially crafted URL could be used to cause the redirect to be...
K13401920: Apache HTTPD vulnerability CVE-2021-36160
Security Advisory Description A carefully crafted request uri-path can cause modproxyuwsgi to read above the allocated memory and crash DoS. This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 inclusive. CVE-2021-36160 Impact A remote attacker, through a crafted request, can exploit t...
K59904248: iControl SOAP vulnerability CVE-2022-29474
Security Advisory Description A directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. CVE-2022-29474 Impact An authenticated attacker with at least guest role privileges may...
K17457324: PHP vulnerability CVE-2020-7066
Security Advisory Description In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using getheaders with user-supplied URL, if the URL contains zero \0 character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions...
K13559191: Linux kernel vulnerability CVE-2022-25636
Security Advisory Description net/netfilter/nfdupnetdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This is related to nftablesoffload. CVE-2022-25636 Impact BIG-IP, BIG-IQ Centralized Management, BIG-IP SPK, F5OS-A, and...
K13519: Multiple PHP vulnerabilities
Security Advisory Description PHP has been cited with the following multiple vulnerabilities, which may be locally exploitable on some F5 products: CVE-2006-7243 PHP before 5.3.4 accepts the \0 character in a pathname, which might allow context-dependent attackers to bypass intended access...
K14161: OpenSSH vulnerability CVE-2007-4752
Security Advisory Description When OpenSSH prior to version 4.7 fails to generate an untrusted cookie, it falls back to create a trusted X11 authentication cookie instead. As a result, attackers may be able to launch an unauthorized forwarded X11 session through SSH. Impact None. F5 products do n...
K24207649: GNU C Library (glibc) vulnerability CVE-2021-3999
Security Advisory Description A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd in a setuid program could use this fla...
K48281956: NFSv2/3 kernel vulnerability CVE-2017-7645
Security Advisory Description The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service system crash via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. CVE-2017-7645 Impact There i...
K86488846: Sudo vulnerability CVE-2021-3156
Security Advisory Description Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character. CVE-2021-3156 Impact A local attacker can exploit the vulnerability to escalate thei...
SOL98009539 - PHP/PCRE vulnerability CVE-2016-1283
Vulnerability Recommended Actions None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5...
SOL41103561 - libxml2 vulnerability CVE-2016-4448
Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are...
K15850913: PHP vulnerability CVE-2016-6290
Security Advisory Description ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service use-after-free or possibly have unspecified other impact via...
K10631153: Apache Solr vulnerability CVE-2017-12629
Security Advisory Description Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to...
K05121675: F5 TLS vulnerability CVE-2016-9244
Security Advisory Description A BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory, aka the Ticketbleed bug. CVE-2016-9244 Impact A BIG-IP virtual server configured with a Client SSL profile that has the non-default Sessio...
K87922456: NTP vulnerability CVE-2016-9310
Security Advisory Description The control mode mode 6 functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. CVE-2016-9310 Impact In default configurations, F5 products are not vulnerable. If you remove the default restrict...
K21548854: zlib vulnerability CVE-2018-25032
Security Advisory Description zlib before 1.2.12 allows memory corruption when deflating i.e., when compressing if the input has many distant matches. CVE-2018-25032 Impact This vulnerability results in corrupted output, which leads to out-of-bound access, corrupting the memory and potentially...
K000150943: PostgreSQL vulnerabilities CVE-2019-10164, CVE-2020-14349, and CVE-2020-14350
Security Advisory Description CVE-2019-10164 PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often...
K40582331: Apache HTTP server vulnerability CVE-2022-28615
Security Advisory Description Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in apstrcmpmatch when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or...
K15498: Multiple PHP vulnerabilities
Security Advisory Description Description CVE-2014-3981 acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. CVE-2014-4049 Heap-based buffer overflow in the phpparserr function...
K20451100: Apache vulnerability CVE-2022-22721
Security Advisory Description If LimitXMLRequestBody is set to allow request bodies larger than 350MB defaults to 1M on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. CVE-2022-22721 Impact There is no...
SOL17313 - PHP vulnerability CVE-2014-4721
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHPAUTHPW, PHPAUTHTYPE, PHPAUTHUSER, and PHPSELF variables, which might allow context-dependent attackers to obtain sensitive information from process...
SOL15935 - NTP vulnerability CVE-2014-9294
Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not...
K17113: OpenSSH vulnerability CVE-2015-5600
Security Advisory Description The kbdintnextdevice function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a...
K67175700: Apache vulnerabilities CVE-2020-9490, CVE-2020-11984, CVE-2020-11993
Security Advisory Description CVE-2020-9490 Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via...
K5857: Client certificate check vulnerability in Apache - CVE-2005-2700
Security Advisory Description Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information on F5 Networks' security policy regarding evaluating older and unsupported versions of F5 Networks products, refer to K4602:...
SOL14712 - The BIG-IP APM access policy logout page may be vulnerable to XSS cookie tampering
Recommended action To eliminate this vulnerability, upgrade to a version that is listed in the Versions known to be not vulnerable column in the previous table. To mitigate this vulnerability, you can modify the logout web page to null the specific code identified at issue. To do so, perform the...
K000139092: DNS vulnerability CVE-2023-50387
Security Advisory Description Certain DNSSEC aspects of the DNS protocol in RFC 4033, 4034, 4035, 6840, and related RFCs allow remote attackers to cause a denial of service CPU consumption via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone...