Vulnerabilities (CVE)

Filtered by vendor F5 Subscribe
Total 823 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-5885 1 F5 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more 2021-07-21 6.4 MEDIUM 9.1 CRITICAL
On versions 15.0.0-15.1.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, and 12.1.0-12.1.5.1, BIG-IP systems set up for connection mirroring in a high availability (HA) pair transfer sensitive cryptographic objects over an insecure communications channel. This is a control plane issue which is exposed only on the network used for connection mirroring.
CVE-2020-5924 1 F5 1 Big-ip Access Policy Manager 2021-07-21 5.0 MEDIUM 5.3 MEDIUM
In BIG-IP APM versions 12.1.0-12.1.5.1 and 11.6.1-11.6.5.2, RADIUS authentication leaks memory when the username for authentication is not set.
CVE-2020-5859 1 F5 11 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 8 more 2021-07-21 5.0 MEDIUM 7.5 HIGH
On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file.
CVE-2020-5869 1 F5 1 Big-iq Centralized Management 2021-07-21 6.4 MEDIUM 9.1 CRITICAL
In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization is not secure by TLS and may allow on-path attackers to read / modify confidential data in transit.
CVE-2021-23022 1 F5 2 Big-ip Access Policy Manager, Big-ip Access Policy Manager Client 2021-06-23 7.2 HIGH 7.8 HIGH
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23023 1 F5 1 Big-ip Access Policy Manager 2021-06-22 6.9 MEDIUM 7.8 HIGH
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23021 1 F5 1 Nginx Controller 2021-06-11 2.1 LOW 5.5 MEDIUM
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
CVE-2021-23020 1 F5 1 Nginx Controller 2021-06-11 2.1 LOW 5.5 MEDIUM
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
CVE-2021-23018 1 F5 1 Nginx Controller 2021-06-11 5.8 MEDIUM 7.4 HIGH
Intra-cluster communication does not use TLS. The services within the NGINX Controller 3.x before 3.4.0 namespace are using cleartext protocols inside the cluster.
CVE-2021-23014 1 F5 2 Big-ip Advanced Web Application Firewall, Big-ip Application Security Manager 2021-05-24 6.5 MEDIUM 8.8 HIGH
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23011 1 F5 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more 2021-05-24 5.0 MEDIUM 7.5 HIGH
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23015 1 F5 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more 2021-05-24 6.5 MEDIUM 7.2 HIGH
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23016 1 F5 1 Big-ip Access Policy Manager 2021-05-24 5.0 MEDIUM 5.3 MEDIUM
On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23009 1 F5 14 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Advanced Web Application Firewall and 11 more 2021-05-21 5.0 MEDIUM 7.5 HIGH
On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23008 1 F5 1 Big-ip Access Policy Manager 2021-05-19 7.5 HIGH 9.8 CRITICAL
On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2021-23010 1 F5 1 Big-ip Application Security Manager 2021-05-19 5.0 MEDIUM 7.5 HIGH
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ASM bd process may produce a core file. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2014-9342 1 F5 1 Big-ip 2021-05-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the tree view (pl_tree.php) feature in Application Security Manager (ASM) in F5 BIG-IP 11.3.0 allows remote attackers to inject arbitrary web script or HTML by accessing a crafted URL during automatic policy generation.
CVE-2021-23006 1 F5 1 Big-iq Centralized Management 2021-04-06 4.3 MEDIUM 6.1 MEDIUM
On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
CVE-2021-23005 1 F5 1 Big-iq Centralized Management 2021-04-06 6.4 MEDIUM 9.1 CRITICAL
On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
CVE-2021-22996 1 F5 1 Big-iq Centralized Management 2021-04-06 5.0 MEDIUM 7.5 HIGH
On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. This behavior may lead to a denial-of-service (DoS) and impact the stability of a BIG-IQ high availability (HA) cluster. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.