|
|
Cpe Name: cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2022-23031 |
611 |
|
|
2022-01-25 |
2022-02-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
2 |
CVE-2022-23030 |
400 |
|
|
2022-01-25 |
2022-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
3 |
CVE-2022-23029 |
367 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
4 |
CVE-2022-23027 |
697 |
|
|
2022-01-25 |
2022-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
5 |
CVE-2022-23026 |
434 |
|
|
2022-01-25 |
2022-02-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
6 |
CVE-2022-23025 |
476 |
|
|
2022-01-25 |
2022-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
7 |
CVE-2022-23023 |
400 |
|
|
2022-01-25 |
2022-02-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
8 |
CVE-2021-23053 |
400 |
|
|
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
9 |
CVE-2021-23051 |
|
|
|
2021-09-14 |
2021-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
10 |
CVE-2021-23050 |
|
|
CSRF |
2021-09-14 |
2021-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery (CSRF)-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
11 |
CVE-2021-23049 |
400 |
|
|
2021-09-14 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
12 |
CVE-2021-23048 |
|
|
|
2021-09-14 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
13 |
CVE-2021-23045 |
|
|
|
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when an SCTP profile with multiple paths is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
14 |
CVE-2021-23042 |
400 |
|
|
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, and 12.1.x before 12.1.6, when an HTTP profile is configured on a virtual server, undisclosed requests can cause a significant increase in system resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
15 |
CVE-2021-23041 |
79 |
|
XSS |
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
16 |
CVE-2021-23036 |
20 |
|
|
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On version 16.0.x before 16.0.1.2, when a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
17 |
CVE-2021-23033 |
|
|
|
2021-09-14 |
2021-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP Advanced WAF and BIG-IP ASM version 16.x before 16.1.0x, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
18 |
CVE-2021-23031 |
78 |
|
|
2021-09-14 |
2021-09-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
19 |
CVE-2021-23030 |
20 |
|
|
2021-09-14 |
2021-09-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
20 |
CVE-2021-23029 |
918 |
|
|
2021-09-14 |
2021-09-27 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
21 |
CVE-2021-23028 |
20 |
|
|
2021-09-14 |
2021-09-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
22 |
CVE-2021-23027 |
79 |
|
XSS |
2021-09-14 |
2021-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
23 |
CVE-2021-23026 |
352 |
|
CSRF |
2021-09-14 |
2021-09-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
24 |
CVE-2021-23025 |
78 |
|
Exec Code |
2021-09-14 |
2021-11-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
25 |
CVE-2021-23015 |
863 |
|
Bypass |
2021-05-10 |
2021-05-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
26 |
CVE-2021-23014 |
862 |
|
|
2021-05-10 |
2021-05-24 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
27 |
CVE-2021-23013 |
94 |
|
|
2021-05-10 |
2021-05-24 |
5.4 |
None |
Remote |
High |
Not required |
None |
None |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, the Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions. This vulnerability affects TMM by way of a virtual server configured with an SCTP profile. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
28 |
CVE-2021-23012 |
77 |
|
Exec Code |
2021-05-10 |
2021-05-24 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
29 |
CVE-2021-23011 |
400 |
|
|
2021-05-10 |
2021-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
30 |
CVE-2021-23009 |
835 |
|
DoS |
2021-05-10 |
2021-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
|
31 |
CVE-2021-23004 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, Multipath TCP (MPTCP) forwarding flows may be created on standard virtual servers without MPTCP enabled in the applied TCP profile. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
32 |
CVE-2021-23003 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
33 |
CVE-2021-23001 |
434 |
|
|
2021-03-31 |
2021-04-05 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
34 |
CVE-2021-23000 |
|
|
|
2021-03-31 |
2021-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
35 |
CVE-2021-22999 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
36 |
CVE-2021-22998 |
|
|
|
2021-03-31 |
2021-04-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
37 |
CVE-2021-22994 |
79 |
|
XSS |
2021-03-31 |
2021-04-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
38 |
CVE-2021-22993 |
79 |
|
XSS |
2021-03-31 |
2021-04-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
On BIG-IP Advanced WAF and BIG-IP ASM versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, DOM-based XSS on DoS Profile properties page. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
39 |
CVE-2021-22992 |
120 |
|
Exec Code Overflow |
2021-03-31 |
2021-04-05 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
40 |
CVE-2021-22991 |
120 |
|
Exec Code Overflow Bypass |
2021-03-31 |
2021-04-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
41 |
CVE-2021-22990 |
|
|
Exec Code |
2021-03-31 |
2021-04-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, on systems with Advanced WAF or BIG-IP ASM provisioned, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
42 |
CVE-2021-22989 |
|
|
Exec Code |
2021-03-31 |
2021-04-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, when running in Appliance mode with Advanced WAF or BIG-IP ASM provisioned, the TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
43 |
CVE-2021-22988 |
|
|
Exec Code |
2021-03-31 |
2021-04-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
44 |
CVE-2021-22987 |
|
|
Exec Code |
2021-03-31 |
2021-04-05 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3 when running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
45 |
CVE-2021-22986 |
|
|
Exec Code |
2021-03-31 |
2021-04-05 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
46 |
CVE-2021-22984 |
601 |
|
|
2021-02-12 |
2021-02-18 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
On BIG-IP Advanced WAF and ASM version 15.1.x before 15.1.0.2, 15.0.x before 15.0.1.4, 14.1.x before 14.1.2.5, 13.1.x before 13.1.3.4, 12.1.x before 12.1.5.2, and 11.6.x before 11.6.5.2, when receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
47 |
CVE-2021-22981 |
|
|
|
2021-02-12 |
2021-02-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
On all versions of BIG-IP 12.1.x and 11.6.x, the original TLS protocol includes a weakness in the master secret negotiation that is mitigated by the Extended Master Secret (EMS) extension defined in RFC 7627. TLS connections that do not use EMS are vulnerable to man-in-the-middle attacks during renegotiation. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
48 |
CVE-2021-22979 |
79 |
|
XSS |
2021-02-12 |
2021-02-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
49 |
CVE-2021-22978 |
79 |
|
XSS |
2021-02-12 |
2021-02-24 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
|
50 |
CVE-2021-22977 |
|
|
|
2021-02-12 |
2021-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. |
Total number of vulnerabilities : 66
Page :
1
(This Page) 2
|
|
