Lucene search

K

F5 Security Vulnerabilities

cve
cve

CVE-2019-6608

On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, the snmpd daemon may leak memory on a multi-blade BIG-IP vCMP guest when processing authorized SNMP...

5.9CVSS

5.7AI Score

0.001EPSS

2019-03-28 09:29 PM
39
cve
cve

CVE-2019-6606

On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, when processing certain SNMP requests with a request-id of 0, the snmpd process may leak a small amount of...

4.3CVSS

4.6AI Score

0.001EPSS

2019-03-28 09:29 PM
26
cve
cve

CVE-2019-6604

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, hardware systems with a High-Speed Bridge and using non-default Layer 2 forwarding configurations may experience a lockup of the High-Speed...

6.8CVSS

6.6AI Score

0.001EPSS

2019-03-28 09:29 PM
39
cve
cve

CVE-2019-6599

In BIG-IP 11.6.1-11.6.3.2 or 11.5.1-11.5.8, or Enterprise Manager 3.1.1, improper escaping of values in an undisclosed page of the configuration utility may result with an improper handling on the JSON response when it is injected by a malicious script via a remote cross-site scripting (XSS)...

6.1CVSS

6AI Score

0.001EPSS

2019-03-13 10:29 PM
26
cve
cve

CVE-2019-6596

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, 12.1.0-12.1.3.6, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when processing fragmented ClientHello messages in a DTLS session TMM may corrupt memory eventually leading to a crash. Only systems offering DTLS connections via APM are...

7.5CVSS

7.4AI Score

0.001EPSS

2019-03-13 10:29 PM
21
cve
cve

CVE-2019-6598

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack....

4.3CVSS

4.5AI Score

0.001EPSS

2019-03-13 10:29 PM
24
cve
cve

CVE-2019-6597

In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands...

7.2CVSS

6.9AI Score

0.001EPSS

2019-03-13 10:29 PM
24
cve
cve

CVE-2019-6595

Cross-site scripting (XSS) vulnerability in F5 BIG-IP Access Policy Manager (APM) 11.5.x and 11.6.x Admin Web...

6.1CVSS

6.1AI Score

0.001EPSS

2019-02-26 03:29 PM
33
cve
cve

CVE-2019-6593

On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the....

5.9CVSS

4.5AI Score

0.001EPSS

2019-02-26 03:29 PM
38
cve
cve

CVE-2019-6592

On BIG-IP 14.1.0-14.1.0.1, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL...

9.1CVSS

9.2AI Score

0.001EPSS

2019-02-26 03:29 PM
25
cve
cve

CVE-2019-6594

On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some...

5.9CVSS

5.7AI Score

0.001EPSS

2019-02-26 03:29 PM
25
cve
cve

CVE-2019-9075

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.32. It is a heap-based buffer overflow in _bfd_archive_64_bit_slurp_armap in...

7.8CVSS

7.7AI Score

0.001EPSS

2019-02-24 12:29 AM
184
2
cve
cve

CVE-2019-6589

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration...

6.1CVSS

6AI Score

0.001EPSS

2019-02-14 12:29 AM
29
cve
cve

CVE-2019-6590

On BIG-IP LTM 13.0.0 to 13.0.1 and 12.1.0 to 12.1.3.6, under certain conditions, the TMM may consume excessive resources when processing SSL Session ID Persistence...

5.9CVSS

5.7AI Score

0.001EPSS

2019-02-05 07:29 PM
28
cve
cve

CVE-2019-6591

On BIG-IP APM 14.0.0 to 14.0.0.4, 13.0.0 to 13.1.1.3 and 12.1.0 to 12.1.3.7, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM...

5.4CVSS

5.1AI Score

0.001EPSS

2019-02-05 06:29 PM
22
cve
cve

CVE-2018-20657

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to...

7.5CVSS

7AI Score

0.005EPSS

2019-01-02 02:29 PM
51
cve
cve

CVE-2018-17539

The BGP daemon (bgpd) in all IP Infusion ZebOS versions to 7.10.6 and all OcNOS versions to 1.3.3.145 allow remote attackers to cause a denial of service attack via an autonomous system (AS) path containing 8 or more autonomous system number (ASN)...

7.5CVSS

7.4AI Score

0.002EPSS

2018-12-28 04:29 PM
28
cve
cve

CVE-2018-15334

A cross-site request forgery (CSRF) vulnerability in the APM webtop 11.2.1 or greater may allow attacker to force an APM webtop session to log out and require...

4.3CVSS

4.6AI Score

0.0005EPSS

2018-12-28 03:29 PM
24
cve
cve

CVE-2018-15335

When APM 13.0.0-13.1.x is deployed as an OAuth Resource Server, APM becomes a client application to an external OAuth authorization server. In certain cases when communication between the BIG-IP APM and the OAuth authorization server is lost, APM may not display the intended message in the failure....

5.9CVSS

5.6AI Score

0.001EPSS

2018-12-28 03:29 PM
28
cve
cve

CVE-2018-15329

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be...

7.2CVSS

6.9AI Score

0.001EPSS

2018-12-20 08:29 PM
33
cve
cve

CVE-2018-15331

On BIG-IP AAM 13.0.0 or 12.1.0-12.1.3.7, the dcdb_convert utility used by BIG-IP AAM fails to drop group permissions when executing helper scripts, which could be used to leverage attacks against the BIG-IP...

7.8CVSS

7.5AI Score

0.001EPSS

2018-12-20 08:29 PM
22
cve
cve

CVE-2018-15330

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, when a virtual server using the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel (TMM) to produce a core...

7.5CVSS

7.4AI Score

0.001EPSS

2018-12-20 08:29 PM
27
cve
cve

CVE-2018-15328

On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3 users and trap destinations that are used for authentication and privacy are not handled by the BIG-IP system Secure Vault feature; they are written in the...

7.5CVSS

7.6AI Score

0.001EPSS

2018-12-12 02:29 PM
21
cve
cve

CVE-2018-15332

The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race...

7CVSS

6.5AI Score

0.0004EPSS

2018-12-06 02:00 PM
30
cve
cve

CVE-2018-16845

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only...

6.1CVSS

6.4AI Score

0.002EPSS

2018-11-07 02:29 PM
4230
cve
cve

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a...

7.5CVSS

7.3AI Score

0.084EPSS

2018-11-07 02:29 PM
5071
3
cve
cve

CVE-2018-16844

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration...

7.5CVSS

7.3AI Score

0.025EPSS

2018-11-07 02:29 PM
4982
3
cve
cve

CVE-2018-15327

In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be...

7.2CVSS

6.9AI Score

0.001EPSS

2018-10-31 02:29 PM
31
cve
cve

CVE-2018-15318

In BIG-IP 14.0.0-14.0.0.2, 13.1.0.4-13.1.1.1, or 12.1.3.4-12.1.3.6, If an MPTCP connection receives an abort signal while the initial flow is not the primary flow, the initial flow will remain after the closing procedure is complete. TMM may restart and produce a core file as a result of this...

7.5CVSS

7.5AI Score

0.001EPSS

2018-10-31 02:29 PM
29
cve
cve

CVE-2018-15326

In some situations on BIG-IP APM 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, or 11.6.0-11.6.3.2, the CRLDP Auth access policy agent may treat revoked certificates as valid when the BIG-IP APM system fails to download a new Certificate Revocation...

7.5CVSS

7.4AI Score

0.001EPSS

2018-10-31 02:29 PM
22
cve
cve

CVE-2018-15321

When BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.1.0-2.3.0, or Enterprise Manager 3.1.1 is licensed for Appliance Mode, Admin and Resource...

4.9CVSS

5.1AI Score

0.001EPSS

2018-10-31 02:29 PM
26
cve
cve

CVE-2018-15325

In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, iControl and TMSH usage by authenticated users may leak a small amount of memory when executing...

4.3CVSS

4.7AI Score

0.001EPSS

2018-10-31 02:29 PM
27
cve
cve

CVE-2018-15322

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 6.0.0-6.0.1, 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.0.1-2.3.0, or Enterprise Manager 3.1.1 a BIG-IP user granted with tmsh access may cause....

6.5CVSS

6.5AI Score

0.001EPSS

2018-10-31 02:29 PM
28
cve
cve

CVE-2018-15319

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.6, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM...

7.5CVSS

7.3AI Score

0.001EPSS

2018-10-31 02:29 PM
30
cve
cve

CVE-2018-15323

On BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, in certain circumstances, when processing traffic through a Virtual Server with an associated MQTT profile, the TMM process may produce a core file and take the configured HA...

5.9CVSS

5.7AI Score

0.001EPSS

2018-10-31 02:29 PM
28
cve
cve

CVE-2018-15320

On BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, undisclosed traffic patterns may lead to denial of service conditions for the BIG-IP system. The configuration which exposes this condition is the BIG-IP self IP address which is part of a VLAN group and has the Port Lockdown setting configured with...

7.5CVSS

7.4AI Score

0.001EPSS

2018-10-31 02:29 PM
30
cve
cve

CVE-2018-15324

On BIG-IP APM 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1, TMM may restart when processing a specially crafted request with APM portal...

5.9CVSS

5.7AI Score

0.001EPSS

2018-10-31 02:29 PM
19
cve
cve

CVE-2018-15313

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI...

6.1CVSS

6.1AI Score

0.002EPSS

2018-10-19 01:29 PM
26
cve
cve

CVE-2018-15312

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an authenticated user to execute JavaScript for the currently logged-in...

6.1CVSS

5.9AI Score

0.001EPSS

2018-10-19 01:29 PM
33
cve
cve

CVE-2018-15316

In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint...

5.5CVSS

5.4AI Score

0.001EPSS

2018-10-19 01:29 PM
55
cve
cve

CVE-2018-15314

On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a Reflected Cross Site Scripting vulnerability in undisclosed TMUI...

6.1CVSS

6.1AI Score

0.002EPSS

2018-10-19 01:29 PM
23
cve
cve

CVE-2018-15315

On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected Cross Site Scripting (XSS) vulnerability in an undisclosed Configuration Utility...

6.1CVSS

6AI Score

0.001EPSS

2018-10-19 01:29 PM
27
cve
cve

CVE-2018-15311

When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.5.1-11.5.6 is processing specially crafted TCP traffic with the Large Receive Offload (LRO) feature enabled, TMM may crash, leading to a failover event. This vulnerability is not exposed unless LRO is enabled, so most affected....

5.9CVSS

6.1AI Score

0.001EPSS

2018-10-10 02:29 PM
27
cve
cve

CVE-2016-7475

Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server...

7.5CVSS

7.5AI Score

0.001EPSS

2018-10-08 07:29 PM
23
cve
cve

CVE-2018-5548

On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for orig_uri parameter in an undisclosed /vdesk link of APM virtual server configured with an access profile, allowing a malicious user to build a redirect URI value using different blocks of cipher...

6.1CVSS

6.2AI Score

0.001EPSS

2018-09-13 02:29 PM
27
cve
cve

CVE-2018-15310

A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, 11.6.0-11.6.3, and 12.1.0-12.1.3 discloses the BIG-IP software version in rewritten...

4.3CVSS

4.6AI Score

0.001EPSS

2018-09-13 02:29 PM
21
cve
cve

CVE-2018-5549

On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13.1.0.3, APMD may core when processing SAML Assertion or response containing certain...

7.5CVSS

7.5AI Score

0.001EPSS

2018-09-13 02:29 PM
22
cve
cve

CVE-2018-5545

On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated user can execute code on the alert server by using a maliciously crafted...

8.8CVSS

8.7AI Score

0.002EPSS

2018-09-13 02:29 PM
24
cve
cve

CVE-2018-5546

The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of.....

7.8CVSS

7.4AI Score

0.001EPSS

2018-08-17 12:29 PM
37
cve
cve

CVE-2018-5544

When the F5 BIG-IP APM 13.0.0-13.1.1 or 12.1.0-12.1.3 renders certain pages (pages with a logon agent or a confirm box), the BIG-IP APM may disclose configuration information such as partition and agent names via URI...

7.5CVSS

7.3AI Score

0.002EPSS

2018-07-31 02:29 PM
22
Total number of security vulnerabilities858