6413 matches found
K15150: cURL and libcurl vulnerability CVE-2013-4545
Security Advisory Description cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification CURLOPTSSLVERIFYHOST when the digital signature verification CURLOPTSSLVERIFYPEER is disabled, which allows man-in-the-middle attackers to spo...
K15151: pyOpenSSL vulnerability CVE-2013-4314
Security Advisory Description The X509Extension in pyOpenSSL before 0.13.1 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate...
K15152: Ruby vulnerability CVE-2013-4164
Security Advisory Description Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a string that is...
K02694732: BIG-IP Advanced WAF and ASM bd vulnerability CVE-2022-41691
Security Advisory Description When an F5 BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate. CVE-2022-41691 Impact Traffic is disrupted while the bd process restarts. This vulnerability allows a remote...
K69488451: Multiple QEMU vulnerabilities CVE-2020-13791, CVE-2020-13800, CVE-2020-15469, CVE-2020-15859, and CVE-2020-15863
Security Advisory Description CVE-2020-13791 hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. CVE-2020-13800 ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite...
K64462543: NodeJS vulnerability CVE-2015-2927
Security Advisory Description node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service bandwidth consumption. CVE-2015-2927 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluate...
K70746705: Multiple NAME:WRECK vulnerabilities
Security Advisory Description CVE-2020-7461 In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient8 fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap...
K65397301: iRules RESOLVER::summarize memory leak vulnerability CVE-2021-23049
Security Advisory Description When the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel TMM memory utilization resulting in an out-of-memory condition and a denial-of-service DoS. CVE-2021-23049 Impact...
K66544153: jQuery vulnerability CVE-2020-11023
Security Advisory Description In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. This probl...
K63025104: NodeJS vulnerability CVE-2018-7160
Security Advisory Description The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network acces...
K61420264: Linux kernel vulnerability CVE-2015-8830
Security Advisory Description Integer overflow in the aiosetupsinglevector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701...
K6075: Cross-Site Scripting Vulnerability - Secunia Advisory SA19337
Security Advisory Description Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5...
K53854428: iControl SOAP vulnerability CVE-2021-23026
Security Advisory Description BIG-IP and BIG-IQ are vulnerable to cross-site request forgery CSRF attacks through iControl SOAP. CVE-2021-23026 Impact An attacker may trick authenticated users into performing critical actions. This vulnerability can only be exploited through the control plane and...
K5873: PAM conversation stack corruption in OpenSSH - CVE-2003-0787
Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...
K53756439: MySQL vulnerabilities CVE-2018-2767, CVE-2018-3063, CVE-2017-3653, and CVE-2018-3066
Security Advisory Description CVE-2018-2767 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Security: Encryption. Supported versions that are affected are 5.5.60 and prior, 5.6.40 and prior and 5.7.22 and prior. Difficult to exploit vulnerability allows low...
K58935003: F5 Container Connector vulnerability CVE-2018-5543
Security Advisory Description The F5 BIG-IP Controller for Kubernetes k8s-bigip-crtl passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container. CVE-2018-5543 Impact F5 BIG-IP Controller for Kubernetes This vulnerability...
K49033153: Apache Syncope vulnerabilities CVE-2018-1321 and CVE-2018-1322
Security Advisory Description CVE-2018-1321 An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations XSLT to perform malicious operations,...
K41101201: Linux kernel vulnerability CVE-2017-18203
Security Advisory Description The dmgetfromkobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service BUG by leveraging a race condition with dmdestroy during creation and removal of DM devices. CVE-2017-18203 Impact Traffix SDC This...
K42465020: BIG-IP URL classification vulnerability CVE-2019-6610
Security Advisory Description The BIG-IP system is vulnerable to a denial-of-service DoS attack when performing URL classification. CVE-2019-6610 Impact A remote attacker may be able to disrupt services by causing the Traffic Management Microkernel TMM to restart. There is no exposure in the...
K34732584: FreeType vulnerability CVE-2015-9381
Security Advisory Description FreeType before 2.6.1 has a heap-based buffer over-read in T1GetPrivateDict in type1/t1parse.c. CVE-2015-9381 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has evaluated the currently...
K28622040: Python vulnerability CVE-2019-9948
Security Advisory Description urllib in Python 2.x through 2.7.16 supports the localfile: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen'localfile:///etc/passwd' call. CVE-2019-9948 Impac...
K23630542: MySQL vulnerabilities CVE-2017-3636, CVE-2018-3081, CVE-2018-3174, CVE-2021-2144, and CVE-2020-2812
Security Advisory Description CVE-2017-3636 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Client programs. Supported versions that are affected are 5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability allows low privileged attacker with logon to...
K27110515: Open SSL vulnerability CVE-2001-1141
Security Advisory Description The Pseudo-Random Number Generator PRNG in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers. CVE-2001-1141...
K16764: PHP vulnerability CVE-2015-4022
Security Advisory Description Integer overflow in the ftpgenlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. CVE-2015-40...
K15320518: FasterXML jackson-databind vulnerability CVE-2020-8840
Security Advisory Description In FasterXML jackson-databind 2.0.0 through 2.9.10.2, due to the lack of certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter , attackers can exploit JNDI injections to remotely execute code. FasterXML Jackson is a...
K14649763: Overview of F5 vulnerabilities (August 2022)
Security Advisory Description On August 3, 2022, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated...
K14632915: TMM vulnerability CVE-2019-6603
Security Advisory Description Malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs. CVE-2019-6603 Impact This vulnerability...
K09121542: BIG-IP SSL/TLS vulnerability CVE-2021-22981
Security Advisory Description The original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret EMS extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation...
K05770600: Linux libuser vulnerability CVE-2015-3246
Security Advisory Description libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service inconsistent file state by causing an error during the modification. NOTE:...
K06440657: BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001
Security Advisory Description The upload functionality in BIG-IP Advanced WAF and ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. CVE-2021-23001 Impact An authenticated malicious user can upload malicious files to use in...
K11522001: Apache vulnerabilities CVE-2018-1313, CVE-2018-1338, CVE-2018-1339, CVE-2018-1335, and CVE-2018-8003
Security Advisory Description CVE-2018-1313 In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java...
K87502622: iControl REST vulnerability CVE-2021-22978
Security Advisory Description Undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. CVE-2021-22978 Impact An attacker may exploit this vulnerability using a crafted URL to a...
K87235248: ImageMagick vulnerability CVE-2020-29599
Security Advisory Description ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject...
K99038439: NodeJS vulnerability CVE-2012-2330
Security Advisory Description The Update method in src/nodehttpparser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information request header contents and possibly spoof HTTP headers via a zero...
K88474783: BIG-IP DoS profile vulnerability CVE-2020-5879
Security Advisory Description Under certain configurations, the BIG-IP system sends data plane traffic to back-end servers unencrypted, even when a Server SSL profile is applied. CVE-2020-5879 Impact The affected system sends some requests to the back-end server without encryption, possibly leaki...
K89095152: PHP vulnerability CVE-2018-17082
Security Advisory Description The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the phphandler function in...
K80945213: BIG-IP ASM and F5 Advanced WAF attack signature check failure security exposure
Security Advisory Description A BIG-IP ASM and F5 Advanced Web Application Firewall Advanced WAF attack signature check may fail to detect and block certain GET requests when cross-site request forgery CSRF protection is enabled. Impact Attackers may be able to bypass BIG-IP ASM and Advanced WAF...
K79428827: BIG-IP APM OCSP vulnerability CVE-2021-23047
Security Advisory Description When BIG-IP APM performs Online Certificate Status Protocol OCSP verification of a certificate that contains Authority Information Access AIA, undisclosed requests may cause an increase in memory use. CVE-2021-23047 Impact This vulnerability allows a remote attacker ...
K04912972: NTP vulnerability CVE-2018-7185
Security Advisory Description The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service disruption by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim...
K01074825: libcroco vulnerability CVE-2020-12825
Security Advisory Description libcroco through 0.6.13 has excessive recursion in crparserparseanycore in cr-parser.c, leading to stack consumption. CVE-2020-12825 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product Development has...
K64208870: TMM vulnerability CVE-2018-15319
Security Advisory Description Malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies. CVE-2018-15319 Impact An attacker may be able to...
K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302
Security Advisory Description JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a...
K5790: Apache JServ Protocol vulnerability JVN#79314822
Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...
K59145983: Intel CSME and SPS vulnerability CVE-2019-0090
Security Advisory Description Insufficient access control vulnerability in subsystem for IntelR CSME before version 12.0.35, IntelR SPS before version SPSE305.00.04.027.0 may allow unauthenticated user to potentially enable escalation of privilege via physical access. CVE-2019-0090 Impact Traffix...
K51674118: Linux kernel vulnerability CVE-2019-11599
Security Advisory Description The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have...
K51470205: Intel DAL vulnerability CVE-2019-0170
Security Advisory Description Buffer overflow in subsystem in IntelR DAL before version 12.0.35 may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2019-0170 Impact Traffix SDC An attacker with local access to the system can exploit this vulnerability...
K45429077: Exiv2 vulnerability CVE-2019-13114
Security Advisory Description http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service crash due to a NULL pointer dereference by returning a crafted response that lacks a space character. CVE-2019-13114 Impact There is no impact; F5 products are not affected by...
K46337613: NodeJS vulnerability CVE-2015-8315
Security Advisory Description The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service CPU consumption via a long version string, aka a "regular expression denial of service ReDoS. CVE-2015-8315 Impact There is no impact; F5 products are not affected by this...
K47306214: GNU Libmicrohttpd vulnerability CVE-2021-3466
Security Advisory Description A flaw was found in libmicrohttpd in versions before 0.9.71. A missing bounds check in the postprocessurlencoded function leads to a buffer overflow, allowing a remote attacker to write arbitrary data in an application that uses libmicrohttpd. The highest threat from...
K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025
Security Advisory Description When a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel TMM to terminate. CVE-2022-23025 Impact Traffic is disrupted while the TMM process restarts. This vulnerability allows an unauthenticated remot...