6392 matches found
SOL16827 - Apache Struts vulnerability CVE-2015-1831
Note: As of February 17, 2015, AskF5 Security Advisory articles include the Severity value. Security Advisory articles published before this date do not list a Severity value. Recommended Action None Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL995...
SOL15933 - NTP vulnerability CVE-2014-9296
Recommended action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version...
SOL15500 - SSL acceleration card timing vulnerability CVE-2014-4024
Vulnerability Recommended Actions If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not...
SOL11719 - Mitigating risk from SSH brute force login attacks
Vulnerability Description F5 products and versions that are affected by this Security Advisory F5 Product Development has determined that all products and versions are affected by the issue described in this security advisory. Note: For information about signing up to receive security notice...
SOL8508 - Cross-site scripting vulnerability in installControl.php3 page
A cross-site scripting XSS vulnerability exists in the FirePass installControl.php3 page, which is accessible prior to authentication. The installControl.php3 page fails to fully sanitize URL input before the web page content is sent to the browser. It is possible for an attacker to create web...
SOL6701 - Possible logon through native RSA SecurID authentication without valid passcode
An issue with the FirePass controller could permit logins without valid RSA SecurID passcodes. Under heavy load conditions, the FirePass controller can enter into a state where an invalid password in the form of the SecurID passcode is accepted if the username is a valid user in a master group...
SOL3066 - OpenSSH buffer management vulnerability - CA-2003-24
For information about this vulnerability, refer to...
K000161576: Linux kernel vulnerabilities CVE-2025-39841 and CVE-2025-39727
Security Advisory Description CVE-2025-39841 In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the ...
K000156685: Multiple ImageMagick vulnerabilities
Security Advisory Description CVE-2014-9808 ImageMagick allows remote attackers to cause a denial of service segmentation fault and application crash via a crafted dpc image. CVE-2014-9809 ImageMagick allows remote attackers to cause a denial of service segmentation fault and application crash vi...
K000150394: Intel QuickAssist Technology vulnerabilities CVE-2024-29223, CVE-2023-32277, CVE-2024-31153, and CVE-2024-31858
Security Advisory Description CVE-2024-29223 Uncontrolled search path for some IntelR QuickAssist Technology software before version 2.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-32277 Untrusted Pointer Dereference in I/O subsystem...
K000150185: TCP/IP protocol vulnerabilities CVE-2024-7595, CVE-2024-7596, CVE-2025-23018, and CVE-2025-23019
Security Advisory Description CVE-2024-7595 GRE and GRE6 Protocols RFC2784 do not validate or verify the source of a network packet allowing an attacker to spoof and route arbitrary traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected...
K000149073: PostgreSQL vulnerabilities CVE-2021-3393, CVE-2015-5289, and CVE-2017-8806
Security Advisory Description CVE-2021-3393 An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose...
K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862
Security Advisory Description CVE-2019-3858 An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory...
K000148694: nghttp2 vulnerabilities CVE-2023-35945 and CVE-2020-11080
Security Advisory Description CVE-2023-35945 Envoy is a cloud-native high-performance edge/middle/service proxy. Envoy’s HTTP/2 codec may leak a header map and bookkeeping structures upon receiving RSTSTREAM immediately followed by the GOAWAY frames from an upstream server. In nghttp2, cleanup of...
K000148511: WebKitGTK and WPE WebKit vulnerability CVE-2023-42950
Security Advisory Description A use after free issue was addressed with improved memory management. This issue is fixed in Safari 17.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2, watchOS 10.2, macOS Sonoma 14.2. Processing maliciously crafted web content may lead to arbitrary code execution...
K000148485: qt vulnerabilities CVE-2017-10905 and CVE-2014-0190
Security Advisory Description CVE-2017-10905 A vulnerability in applications created using Qt for Android prior to 5.9.3 allows attackers to alter environment variables via unspecified vectors. CVE-2014-0190 The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of...
K000148343: Diffie-Hellman key exchange protocol vulnerability CVE-2024-41996
Security Advisory Description Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers from the client side to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client...
K000148290: Moment.JS vulnerabilities CVE-2017-18214 and CVE-2022-24785
Security Advisory Description CVE-2017-18214 The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. CVE-2022-24785 Moment.js is a JavaScript date library for parsing, validating,...
K000141528: glibc vulnerability CVE-2024-33600
Security Advisory Description nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's nscd cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cach...
K000141358: Multiple libpng vulnerabilities
Security Advisory Description CVE-2016-3751 Unspecified vulnerability in libpng before 1.6.20, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01, allows attackers to gain privileges via a crafted application, as demonstrated by obtaining...
K000140953: libarchive vulnerability CVE-2023-30571
Security Advisory Description Libarchive through 3.6.2 can cause directories to have world-writable permissions. The umask call inside archivewritediskposix.c changes the umask of the whole process for a very short period of time; a race condition with another thread can lead to a permanent umask...
K000140742: MySQL vulnerability CVE-2024-21179
Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.37 and prior and 8.4.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...
K000139938: BIG-IP Next Central Manager vulnerability CVE-2024-37028
Security Advisory Description BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. CVE-2024-37028 Impact An unauthenticated attacker can exploit this vulnerability to lock out a BIG-IP Next Central Manager webUI account that has never been logged...
K000140006: BIG-IP Next Central Manager vulnerability CVE-2024-41719
Security Advisory Description When you generate a QKView file of a BIG-IP Next instance from the BIG-IP Next Central Manager, F5 iHealth credentials are logged in the BIG-IP Central Manager log file. CVE-2024-41719 Impact The F5 iHealth credentials entered on the BIG-IP Next Central Manager to...
K000139646: MySQL Server vulnerabilities CVE-2024-21052 and CVE-2024-21053
Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQ...
K000139217: BIG-IP TMM tenants on VELOS and rSeries vulnerability CVE-2024-32761
Security Advisory Description Under certain conditions, a data leak may occur in the Traffic Management Microkernels TMMs of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occurs, it may leak up to 64 bytes of...
K000139229: Tempesta vulnerability CVE-2024-2758
Security Advisory Description Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately. CVE-2024-2758 Impact There is no impact; F5 products are not affected by this...
K91054692: BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976
Security Advisory Description When running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions utilizing iAppsLX templates on a BIG-IP system. CVE-2024-23976 Impact An authenticated attacker with local system access and th...
K000137798: Dbus Subscription Manager vulnerability CVE-2023-3899
Security Advisory Description A vulnerability was found in subscription-manager that allows local privilege escalation due to inadequate authorization. The D-Bus interface com.redhat.RHSM1 exposes a significant number of methods to all users that could change the state of the registration. By usi...
K000135633: OpenSSL vulnerability CVE-2023-2975
Security Advisory Description Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries ...
K000135504: BIND vulnerability CVE-2023-2911
Security Advisory Description If the recursive-clients quota is reached on a BIND 9 resolver configured with both stale-answer-enable yes; and stale-answer-client-timeout 0;, a sequence of serve-stale-related lookups could cause named to loop and terminate unexpectedly due to a stack overflow. Th...
K000135149: Oracle Java SE vulnerability CVE-2023-21938
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Libraries. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 a...
K000134671: Paramiko vulnerability CVE-2018-1000805
Security Advisory Description Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity. CVE-2018-1000805 Impact There is no impact; F5...
K000134616: Intel i915 Graphics Drivers for Linux vulnerability CVE-2023-28410
Security Advisory Description Improper restriction of operations within the bounds of a memory buffer in some IntelR i915 Graphics drivers for linux before kernel version 6.2.10 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2023-28410 Impact...
K000133656: Oracle Java vulnerability CVE-2023-21954
Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and...
K50254952: BIG-IP Configuration utility vulnerability CVE-2018-5523
Security Advisory Description When authenticated administrative users run commands in the Traffic Management User Interface TMUI, also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. CVE-2018-5523 Impact BIG-IP and Enterprise Manager This...
K23024812: BIG-IP APM vulnerability CVE-2018-5544
Security Advisory Description When the BIG-IP APM system renders certain pages with a logon agent or a confirm box, the system may disclose configuration information such as partition and agent names via URI parameters. CVE-2018-5544 Impact This vulnerability allows unauthorized disclosure of...
K28855111: BIG-IQ HA vulnerability CVE-2020-5869
Security Advisory Description BIG-IQ high availability HA synchronization is not secure by TLS and may allow on-path attackers to read / modify confidential data in transit. CVE-2020-5869 Impact Certain BIG-IQ data may be compromised when the vulnerability is exploited on a BIG-IQ HA configuratio...
K17114: NTP vulnerability CVE-2015-5146
Security Advisory Description ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service service crash via a NULL byte i...
K03585731: F5 secure shell vulnerability CVE-2020-5873
Security Advisory Description A user associated with the Resource Administrator role who has access to the secure copy scp utility but does not have access to Advanced Shell bash can execute arbitrary commands using a maliciously crafted scp request. CVE-2020-5873 Impact An authenticated user wit...
K12234501: BIG-IP virtual server vulnerability CVE-2020-5883
Security Advisory Description When a virtual server is configured with HTTP explicit proxy and has an attached HTTPPROXYREQUEST iRule, POST requests sent to the virtual server cause an xdata memory leak. CVE-2020-5883 Impact The BIG-IP system may become vulnerable to conditions that result when i...
K17597093: 389-ds-base vulnerability CVE-2017-15135
Security Advisory Description It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the...
K91610944: Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496
Security Advisory Description CVE-2020-24492 Insufficient access control in the firmware for the IntelR 722 Ethernet Controllers before version 1.5 may allow a privileged user to potentially enable a denial of service via local access. CVE-2020-24493 Insufficient access control in the firmware fo...
K12403422: BIG-IP ASM vulnerability CVE-2018-5541
Security Advisory Description When the BIG-IP ASM system processes HTTP requests, an unusually large number of parameters can cause excessive CPU usage in the BIG-IP ASM bd process. CVE-2018-5541 Impact BIG-IP When this vulnerability is exploited, the BIG-IP ASM system may experience a denial of...
K23432927: The BIG-IP ASM system may redirect a client request to an incorrect URL
Security Advisory Description The BIG-IP ASM system may redirect a client request to an incorrect URL after the client browser passes the client-side integrity defense JavaScript challenge. This issue occurs when all of the following conditions are met: You have enabled the Client Side Integrity...
K31152411: BIG-IP Analytics vulnerability CVE-2019-6655
Security Advisory Description BIG-IP platforms provisioned with AAM, AFM, Application Visibility and Reporting AVR, APM, ASM, and/or PEM may leak sensitive data. CVE-2019-6655 Impact BIG-IP AAM, AFM, AVR, APM, ASM, PEM The vulnerability is only present on BIG-IP systems provisioned with AAM, AFM,...
K02951273: NTP vulnerability CVE-2017-6463
Security Advisory Description NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service daemon crash via an invalid setting in a :config directive, related to the unpeer option. CVE-2017-6463 Impact A remote, authenticated attacker may exploit this...
K67825238: iControl REST vulnerability CVE-2019-6638
Security Advisory Description Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process. CVE-2019-6638 Impact All authenticated users, regardless of role, can exploit this vulnerability, which can result in a denial-of-service DoS for...
K16343: OpenLDAP vulnerabilities CVE-2015-1545 and CVE-2015-1546
Security Advisory Description CVE-2015-1545 The derefparseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service NULL pointer dereference and crash via an empty attribute list in a deref control in a search request...
K10329515: BIG-IP PEM vulnerability CVE-2018-5508
Security Advisory Description Under certain conditions, TMM may produce a core file and restart when processing compressed data though a virtual server with an associated PEM profile using the content insertion option. CVE-2018-5508 Impact The Traffic Management Microkernel TMM generates a core...