K86300800: Apache Struts 2 vulnerability CVE-2017-9787

Security Advisory Description When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. CVE-2017-9787 Impact There is no impact; F5 products are not...

K35033051: Tomcat vulnerability CVE-2021-30640

Security Advisory Description A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45...

K37683194: Poppler vulnerability CVE-2018-13988

Security Advisory Description Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memory space, as demonstrated by pdfunite. This can result in memory corruption and denial of service. This may be exploitable when a victim...

K55248799: phpLDAPAdmin vulnerabilities CVE-2005-2654, CVE-2005-2792, CVE-2005-2793, CVE-2006-2016, and CVE-2009-4427

Security Advisory Description CVE-2005-2654 phpldapadmin before 0.9.6c allows remote attackers to gain anonymous access to the LDAP server, even when disableanonbind is set, via an HTTP request to login.php with the anonymousbind parameter set. CVE-2005-2792 Directory traversal vulnerability in...

K42059040: Binutils vulnerability CVE-2019-9075

Security Advisory Description An issue was discovered in the Binary File Descriptor BFD library aka libbfd, as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in bfdarchive64bitslurparmap in archive64.c. CVE-2019-9075 Impact Successful exploitation of this vulnerability could...

K25920352: Intel CPU SRBDS side-channel vulnerability CVE-2020-0543

Security Advisory Description Incomplete cleanup from specific special register read operations in some IntelR Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2020-0543 Impact There is no impact; F5 products are not affected by this...

K73522927: BIG-IP Appliance mode vulnerability CVE-2019-6633

Security Advisory Description When the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions. CVE-2019-6633 Impact This vulnerability allows the attacker to exploit the system with high-level...

K52349521: OpenSSL vulnerability CVE-2016-2842

Security Advisory Description The doaproutch function in crypto/bio/bprint.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service out-of-bounds write or memory consumption or...

K48224824: BIG-IP DNS Cache vulnerability CVE-2018-5532

Security Advisory Description On F5 BIG-IP 13.0.0, 12.1.0-12.1.2, 11.6.0-11.6.3.1, or 11.2.1-11.5.6 a domain name cached within the DNS Cache of TMM may continue to be resolved by the cache even after the parent server revokes the record, if the DNS Cache is receiving a stream of requests for the...

K61164061: PHP vulnerability CVE-2017-9227

Security Advisory Description An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbcenclen during regular expression searching. Invalid handling of reg-dmin in forwardsearchrange could...

K49905324: BIG-IP TMUI CSRF vulnerability CVE-2022-1389

Security Advisory Description A cross-site request forgery CSRF vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This vulnerability allows an attacker to run a limited set of commands: ping, traceroute, and WOM diagnostics. CVE-2022-1389 Impact An attacker may...

K16016: Linux kernel SCTP vulnerability CVE-2014-7841

Security Advisory Description The sctpprocessparam function in net/sctp/smmakechunk.c in the SCTP implementation in the Linux kernel before 3.17.4, when ASCONF is used, allows remote attackers to cause a denial of service NULL pointer dereference and system crash via a malformed INIT chunk...

K21600298: OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068

Security Advisory Description CVE-2022-1292 The crehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute...

K33721814: PHP vulnerability CVE-2016-6174

Security Advisory Description applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite aka Invision Power Board, IPB, or Power Board before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code vi...

K56450659: Linux kernel vulnerability CVE-2017-11176

Security Advisory Description The mqnotify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service use-after-free or possibly have unspecified...

K08613310: BIND vulnerability CVE-2017-3145

Security Advisory Description BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. CVE-2017-3145 Impact BIG-IP A remote attacker can use this flaw to make...

K52514501: MySQL vulnerabilities CVE-2019-2596, CVE-2019-2606, CVE-2019-2607, CVE-2019-2614, and CVE-2019-2617

Security Advisory Description CVE-2019-2596 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 8.0.15 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple...

K26462555: BIG-IP ASM and BIG-IQ/Enterprise Manager/F5 iWorkflow device authentication and trust vulnerability CVE-2019-6665

Security Advisory Description An attacker with access to the device communication between the BIG-IP ASM Central Policy Builder and the BIG-IQ/Enterprise Manager/F5 iWorkflow will be able to set up the proxy the same way and intercept the traffic. CVE-2019-6665 Impact BIG-IP ASM / BIG-IQ /...

K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029

Security Advisory Description When a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. CVE-2022-23029 Impact System performance degradation can occur until the process is either forced to restart or manually restarted. This...

K45435121: DNS Express vulnerability CVE-2018-5538

Security Advisory Description On F5 BIG-IP DNS 13.1.0-13.1.0.7, 12.1.3-12.1.3.5, DNS Express / DNS Zones accept NOTIFY messages on the management interface from source IP addresses not listed in the 'Allow NOTIFY From' configuration parameter when the db variable "dnsexpress.notifyport" is set to...

K23153696: Apache HTTPD vulnerability CVE-2020-1927

Security Advisory Description In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with modrewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. CVE-2020-1927 Impact An attacker can abuse...

K20984059: BIG-IP LTM vulnerability CVE-2020-5949

Security Advisory Description Certain traffic pattern sent to a virtual server configured with an FTP profile can cause the FTP channel to break. CVE-2020-5949 Impact FTP traffic is disrupted. FTP clients are unable to connect to the FTP server and commands issued to the FTP server stall or fail...

K44834280: Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338

Security Advisory Description CVE-2020-25066 A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service crash/reset or to possibly execute arbitrary code. CVE-2020-27336 An issue was discovered in Treck IPv6 before 6.0.1.68...

K48220300: libxml2 vulnerability CVE-2016-1836

Security Advisory Description Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service via a crafted XML...

K41102235: Tomcat vulnerability CVE-2021-43980

Security Advisory Description The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to...

K45243961: OpenLDAP vulnerability CVE-2020-12243

Security Advisory Description In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service daemon crash. CVE-2020-12243 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K04054286: Linux kernel TCP vulnerability CVE-2016-2070

Security Advisory Description The tcpcwndreduction function in net/ipv4/tcpinput.c in the Linux kernel before 4.3.5 allows remote attackers to cause a denial of service divide-by-zero error and system crash via crafted TCP traffic. CVE-2016-2070 Impact Successful exploitation of this vulnerabilit...

K99005715: DUHK vulnerability CVE-2016-8492

Security Advisory Description The implementation of an ANSI X9.31 RNG in Fortinet FortiGate allows attackers to gain unauthorized read access to data handled by the device via IPSec/TLS decryption. CVE-2016-8492 Impact There is no impact; F5 products are not affected by this vulnerability. Securi...

K29500533: TMUI XSS vulnerability CVE-2022-23013

Security Advisory Description A DOM-based cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. CVE-2022-23013 Impact An attacker may exploit this...

K95593121: Linux kernel vulnerability CVE-2019-10126

Security Advisory Description A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiexuapparsetailies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. CVE-2019-10126 Impact There is no impact; F5 products a...

K76314525: Samba vulnerabilities CVE-2015-5252 and CVE-2015-5299

Security Advisory Description CVE-2015-5252 vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points...

K70084351: Apache HTTPD vulnerability CVE-2017-9798

Security Advisory Description Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x...

K72118410: Linux kernel vulnerability CVE-2021-29154

Security Advisory Description BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpfjitcomp.c and arch/x86/net/bpfjitcomp32.c. CVE-2021-29154 Impact...

K73644551: Apache Tomcat vulnerability CVE-2016-6325

Security Advisory Description The Tomcat package on Red Hat Enterprise Linux RHEL 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for 1 /etc/sysconfig/tomcat and 2 /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat...

K25521404: Node.js netmask vulnerability CVE-2021-28918 and CVE-2021-29418

Security Advisory Description CVE-2021-28918 Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypa...

K76328112: BIG-IP TMM vulnerability CVE-2019-6683

Security Advisory Description BIG-IP virtual servers with Loose Initiation enabled on a FastL4 profile may be subject to excessive flow usage under undisclosed conditions. CVE-2019-6683 Impact This vulnerability is present only on BIG-IP Virtual Edition VE systems with limited bandwidth licenses...

K55121327: GnuPG vulnerability CVE-2018-12020

Security Advisory Description mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example,...

K64944965: Linux kernel vulnerability CVE-2019-19075

Security Advisory Description A memory leak in the ca8210probe function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service memory consumption by triggering ca8210getplatformdata failures, aka CID-6402939ec86e. CVE-2019-19075 Impact...

K21238552: MySQL vulnerabilities CVE-2019-2529, CVE-2019-2531, CVE-2019-2532, CVE-2019-2533, and CVE-2019-2534

Security Advisory Description CVE-2019-2529 Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Optimizer. Supported versions that are affected are 5.6.42 and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable vulnerability allows low privileged attacke...

K54924436: PHP vulnerability CVE-2015-8865

Security Advisory Description The filecheckmem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service...

K67352212: Apache vulnerabilities CVE-2018-1286, CVE-2018-1294, CVE-2018-1316, CVE-2018-1319, and CVE-2018-1324

Security Advisory Description CVE-2018-1286 In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. CVE-2018-1294 If a user of Commons-Email typically an application programmer...

K22322802: Grafana vulnerability CVE-2021-39226

Security Advisory Description Grafana is an open source data visualization platform. In affected versions unauthenticated and authenticated users are able to view the snapshot with the lowest database key by accessing the literal paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the...

K51535953: Intel CPU vulnerability CVE-2019-0185

Security Advisory Description Insufficient access control in protected memory subsystem for SMM for 6th, 7th, 8th and 9th Generation IntelR CoreTM Processor families; IntelR XeonR Processor E3-1500 v5 and v6 families; IntelR XeonR E-2100 and E-2200 Processor families with IntelR Processor Graphic...

K54436295: Linux kernel vulnerability CVE-2018-17182

Security Advisory Description An issue was discovered in the Linux kernel through 4.18.8. The vmacacheflushall function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free and possibly gain privileges via certain thread creation, map, unmap, invalidatio...

K51100910: rpcbind vulnerabilities CVE-2017-8779 and CVE-2017-8804

Security Advisory Description CVE-2017-8779 rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service memory...

K22893952: Apache vulnerability CVE-2019-0190

Security Advisory Description A bug exists in the way modssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause modssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when...

K51484039: PHP 'snmp.c' remote format string vulnerability CVE-2016-4071

Security Advisory Description Format string vulnerability in the phpsnmperror function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call. CVE-2016-4071 Impact There...

K03386032: BIG-IP VE interface vulnerability CVE-2020-5881

Security Advisory Description When the BIG-IP Virtual Edition VE is configured with VLAN groups and there are devices configured with OSPF connected to it, the Network Device Abstraction Layer NDAL Interfaces can lock up and in turn disrupting the communication between the mcpd and tmm processes...

K05513373: Linux kernel vulnerability CVE-2016-9576

Security Advisory Description The blkrqmapuseriov function in block/blk-map.c in the Linux kernel before 4.8.14 does not properly restrict the type of iterator, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service use-after-free by leveraging...

K49622415: Apache Tomcat vulnerability CVE-2022-25762

Security Advisory Description If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been...