K000134573: MySQL vulnerability CVE-2023-21971

Security Advisory Description Vulnerability in the MySQL Connectors product of Oracle MySQL component: Connector/J. Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromis...

K000134570: OpenJDK vulnerability CVE-2023-21937

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Networking. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5...

K000133761: Python vulnerability CVE-2021-3177

Security Advisory Description Python 3.x through 3.9.1 has a buffer overflow in PyCArgrepr in ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to cdouble.fromparam...

K000134517: Eclipse vulnerability CVE-2020-6950

Security Advisory Description Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. CVE-2020-6950 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K000134507: jQuery UI vulnerability CVE-2022-31160

Security Advisory Description jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes...

K000134496: Jettison vulnerability CVE-2022-45685

Security Advisory Description A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service DoS via crafted JSON data. CVE-2022-45685 Impact System performance degradation can occur until the process is forced to restart. This vulnerability allows an attacker to cause a...

K000133759: Python vulnerability CVE-2020-26116

Security Advisory Description http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of...

K000134500: Spring Framework vulnerability CVE-2023-20860

Security Advisory Description Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass...

K000134475: Multiple MySQL vulnerabilities

Security Advisory Description CVE-2023-21911 Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000134469: MySQL vulnerability CVE-2023-21963

Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Connection Handling. Supported versions that are affected are 5.7.40 and prior and 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via...

K000133251: Overview of F5 vulnerabilities (May 2023)

Security Advisory Description On May 3, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...

K000133233: NGINX Management Suite vulnerability CVE-2023-28724

Security Advisory Description NGINX Management Suite default file permissions are set such that an authenticated attacker may be able to modify sensitive files on NGINX Instance Manager and NGINX API Connectivity Manager. CVE-2023-28724 Impact Incorrect permissions on certain files may cause a...

K000132539: BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461

Security Advisory Description An improper certificate validation vulnerability exists in BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. CVE-2023-24461 Impact An unauthenticated attacker with a man-in-the-middle MITM position may exploit this...

K20145107: BIG-IP UDP profile vulnerability CVE-2023-29163

Security Advisory Description When a UDP profile with Idle Timeout set to Immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel TMM to terminate. CVE-2023-29163 Impact Traffic is disrupted while the TMM process restarts. This...

K000132719: BIG-IQ iControl REST vulnerability CVE-2023-29240

Security Advisory Description An authenticated attacker granted a Viewer or Auditor role on a BIG-IQ system can upload arbitrary files using an undisclosed iControl REST endpoint. CVE-2023-29240 Impact This vulnerability may allow an authenticated attacker with network access to iControl REST to...

K000133417: NGINX Management Suite vulnerability CVE-2023-28656

Security Advisory Description NGINX Management Suite may allow an authenticated attacker to gain access to configuration objects outside of their assigned environment. CVE-2023-28656 Impact This vulnerability may allow an authenticated attacker to bypass the authorization policy and read or modif...

K000132522: BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372

Security Advisory Description In the pre connection stage, an improper enforcement of message integrity vulnerability exists in BIG-IP Edge Client for Windows and Mac OS. CVE-2023-22372 Impact An unauthenticated attacker with a man-in-the-middle position between the BIG-IP Edge Client and BIG-IP...

K000133132: BIG-IP TMM SSL vulnerability CVE-2023-24594

Security Advisory Description When an SSL profile is configured on a virtual server, undisclosed traffic can cause an increase in CPU or SSL accelerator resource utilization. CVE-2023-24594 Impact System performance can degrade until the attacker's connections are closed. This vulnerability allow...

K000132768: BIG-IP Configuration utility vulnerability CVE-2023-28406

Security Advisory Description A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that may allow an authenticated attacker to read files with an .xml extension. Access to restricted information is limited and the attacker does not control what...

K000132972: BIG-IP iQuery mesh vulnerability CVE-2023-28742

Security Advisory Description When DNS is provisioned, an authenticated remote command execution vulnerability exists in DNS iQuery mesh. CVE-2023-28742 Impact This vulnerability may allow an authenticated attacker with network access to the DNS iQuery mesh through the BIG-IP management port and/...

K000132726: BIG-IP Configuration utility XSS vulnerability CVE-2023-27378

Security Advisory Description Multiple reflected cross-site scripting XSS vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility that allow an attacker to run JavaScript in the context of the currently logged-in user. CVE-2023-27378 Impact An attacker may exploit this...

K000133753: PHP vulnerability CVE-2023-0662

Security Advisory Description In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU...

K000133752: OpenSSL vulnerability CVE-2023-1255

Security Advisory Description Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash ...

K000133706: OpenSSL vulnerability CVE-2023-0464

Security Advisory Description A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain th...

K000133615: device-mapper-multipath vulnerability CVE-2022-41974

Security Advisory Description multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This c...

K000133710: apache-commons-compress vulnerability CVE-2021-36090

Security Advisory Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress'...

K000133699: Oracle WebLogic Server vulnerabilities CVE-2023-21964, CVE-2023-21979, and CVE-2023-21996

Security Advisory Description CVE-2023-21964 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with netwo...

K000133694: MySQL vulnerabilities CVE-2023-21929, CVE-2023-21976, and CVE-2023-21980

Security Advisory Description CVE-2023-21929 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DDL. Supported versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to...

K000133692: OpenSLP vulnerability CVE-2023-29552

Security Advisory Description The Service Location Protocol SLP, RFC 2608 allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor. CVE-2023-295...

K000133687: MySQL vulnerabilities CVE-2023-21913, CVE-2023-21920, CVE-2023-21945, CVE-2023-21977, and CVE-2023-21982

Security Advisory Description CVE-2023-21913 Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protoco...

K000133686: protobuf-java vulnerability CVE-2021-22569

Security Advisory Description An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects...

K000133668: Python urllib3 vulnerability CVE-2018-20060

Security Advisory Description urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect i.e., a redirect that differs in host, port, or scheme. This can allow for credentials in the Authorization header to be exposed to unintended hosts or...

K000133652: Python vulnerability CVE-2018-18074

Security Advisory Description The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. CVE-2018-18074 Impact Fo...

K000133448: Python urllib3 vulnerability CVE-2019-11324

Security Advisory Description The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct...

K000133673: Bootstrap vulnerability CVE-2016-10735

Security Advisory Description In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041. CVE-2016-10735 Impact An attacker may exploit this vulnerability to perform a cross-site scripting XSS attack...

K000133656: Oracle Java vulnerability CVE-2023-21954

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and...

K000133633: Intel BIOS firmware vulnerability CVE-2022-32231

Security Advisory Description Improper initialization in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-32231 Impact This vulnerability may allow a privileged user to potentially enable escalation o...

K000133630: Intel processor vulnerability CVE-2022-26343

Security Advisory Description Improper access control in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-26343 Impact This vulnerability may allow a privileged user to potentially enable escalation o...

K000133635: Intel BIOS vulnerabilities CVE-2021-0187, CVE-2022-26837

Security Advisory Description Improper access control in the BIOS firmware for some IntelR Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVE-2021-0187 Improper input validation in the BIOS firmware for some IntelR Processors may allow a...

K000133644: Linux kernel vulnerability CVE-2023-0266

Security Advisory Description A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRVCTLIOCTLELEMREAD|WRITE32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend...

K000133616: Node.js vulnerability CVE-2023-23919

Security Advisory Description A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that...

K000133612: OpenJDK vulnerability CVE-2023-21939

Security Advisory Description Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Swing. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and...

K000133603: Java vulnerabilities CVE-2023-21967, CVE-2023-21968, and CVE-2023-21930

Security Advisory Description CVE-2023-21967 Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9...

K000133547: Python urllib3 vulnerability CVE-2020-26137

Security Advisory Description urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest. NOTE: this is similar to CVE-2020-26116. CVE-2020-26137 Impact An attacker may...

K000133390: Apache Tomcat vulnerability CVE-2022-45143

Security Advisory Description The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply...

K000133522: Apache mod_proxy_wstunnel vulnerability CVE-2019-17567

Security Advisory Description Apache HTTP Server versions 2.4.6 to 2.4.46 modproxywstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no...

K000133517: OpenSSH vulnerability CVE-2023-28531

Security Advisory Description ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. CVE-2023-28531 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory...

K000133512: Intel platform vulnerabilities (INTEL-SA-00737) CVE-2021-39295, CVE-2021-39296, CVE-2022-29493, CVE-2022-29494, and CVE-2022-35729

Security Advisory Description CVE-2021-39295 In OpenBMC 2.9, crafted IPMI messages allow an attacker to cause a denial of service to the BMC via the netipmid IPMI lan+ interface. CVE-2021-39296 In OpenBMC 2.9, crafted IPMI messages allow an attacker to bypass authentication and gain full control ...

K000133511: QEMU vulnerability CVE-2022-0216

Security Advisory Description A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsidomsgout function. This flaw allows a malicious privileged user within...

K000133494: Node.js vulnerability CVE-2022-43548

Security Advisory Description A OS Command Injection vulnerability exists in Node.js versions 14.21.1, 16.18.1, 18.12.1, 19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests...