CVE-2023-46747

Known exploited
Public exploit
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
9.8
EPSS Score
97.20%
Published
2023-10-26
Updated
2024-02-01
CISA KEV Added
2023-10-31

CVE-2022-41800

Public exploit
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
8.7
EPSS Score
1.08%
Published
2022-12-07
Updated
2022-12-12

CVE-2022-41622

Public exploit
In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
8.8
EPSS Score
42.25%
Published
2022-12-07
Updated
2022-12-08

CVE-2022-1388

Known exploited
Public exploit
Used for ransomware
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
9.8
EPSS Score
97.48%
Published
2022-05-05
Updated
2023-11-02
CISA KEV Added
2022-05-10

CVE-2021-22986

Known exploited
Public exploit
Used for ransomware
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Max CVSS
10.0
EPSS Score
97.44%
Published
2021-03-31
Updated
2022-07-12
CISA KEV Added
2021-11-03

CVE-2020-5902

Known exploited
Public exploit
Used for ransomware
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Max CVSS
10.0
EPSS Score
97.56%
Published
2020-07-01
Updated
2023-11-14
CISA KEV Added
2021-11-03

CVE-2015-3628

Public exploit
The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP AAM 11.4.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 11.3.0, BIG-IP GTM 11.3.0 before 11.6.0 HF6, BIG-IP PSM 11.3.0 through 11.4.1, Enterprise Manager 3.1.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 allows remote authenticated users with the "Resource Administrator" role to gain privileges via an iCall (1) script or (2) handler in a SOAP request to iControl/iControlPortal.cgi.
Max CVSS
9.0
EPSS Score
64.10%
Published
2015-12-07
Updated
2019-06-06

CVE-2014-2928

Public exploit
The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request.
Max CVSS
7.1
EPSS Score
62.37%
Published
2014-05-12
Updated
2015-11-20
When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based Content Profile for an Allowed URL with "Apply value and content signatures and detect threat campaigns."  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
7.5
EPSS Score
0.04%
Published
2024-02-14
Updated
2024-02-14

CVE-2023-46748

Known exploited
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
8.8
EPSS Score
0.65%
Published
2023-10-26
Updated
2024-02-01
CISA KEV Added
2023-10-31
Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
4.4
EPSS Score
0.04%
Published
2023-10-10
Updated
2023-10-18

CVE-2023-44487

Known exploited
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Max CVSS
7.5
EPSS Score
70.59%
Published
2023-10-10
Updated
2024-02-02
CISA KEV Added
2023-10-10
When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system.  A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
8.7
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-11-02
The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process.  This vulnerability is due to an incomplete fix for CVE-2023-38418.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-10-10
Updated
2023-10-18
When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
5.5
EPSS Score
0.04%
Published
2023-10-10
Updated
2023-10-17
BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
8.2
EPSS Score
0.09%
Published
2023-09-27
Updated
2023-10-02
BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
7.1
EPSS Score
0.05%
Published
2023-09-27
Updated
2023-09-29
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
7.2
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-17
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-17
A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
9.9
EPSS Score
0.32%
Published
2023-10-10
Updated
2023-10-17
When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-17
When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-17
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
8.1
EPSS Score
0.09%
Published
2023-10-10
Updated
2023-10-19
When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
7.5
EPSS Score
0.05%
Published
2023-10-10
Updated
2023-10-19
When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Max CVSS
4.4
EPSS Score
0.04%
Published
2023-10-10
Updated
2023-10-16
519 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!