Vulnerabilities > F5
|2021-06-10||CVE-2021-23022|| Incorrect Permission Assignment for Critical Resource vulnerability in F5 products |
On version 7.2.1.x before 184.108.40.206 and 7.1.x before 220.127.116.11 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions.
| 7.2 |
|2021-06-10||CVE-2021-23023|| Uncontrolled Search Path Element vulnerability in F5 Big-Ip Access Policy Manager |
On version 7.2.1.x before 18.104.22.168 and 7.1.x before 22.214.171.124 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer.
| 6.9 |
|2021-06-10||CVE-2021-23024|| Unspecified vulnerability in F5 Big-Iq Centralized Management |
On version 8.0.x before 126.96.36.199, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages.
| 9.0 |
|2021-06-01||CVE-2021-23019|| Insufficiently Protected Credentials vulnerability in F5 Nginx Controller |
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
| 6.9 |
|2021-06-01||CVE-2021-23020|| USE of Insufficiently Random Values vulnerability in F5 Nginx Controller |
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
| 2.1 |
|2021-06-01||CVE-2021-23021|| Incorrect Permission Assignment for Critical Resource vulnerability in F5 Nginx Controller |
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
| 2.1 |
|2021-06-01||CVE-2021-23018|| Cleartext Transmission of Sensitive Information vulnerability in F5 Nginx Controller |
Intra-cluster communication does not use TLS.
| 5.8 |
|2021-05-10||CVE-2021-23009|| Infinite Loop vulnerability in F5 products |
On BIG-IP version 16.0.x before 188.8.131.52 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic.
| 5.0 |
|2021-05-10||CVE-2021-23010|| Unspecified vulnerability in F5 Big-Ip Application Security Manager |
On versions 16.0.x before 184.108.40.206, 15.1.x before 15.1.2, 14.1.x before 220.127.116.11, 13.1.x before 18.104.22.168, and 12.1.x before 22.214.171.124, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ASM bd process may produce a core file.
| 5.0 |
|2021-05-10||CVE-2021-23012|| Command Injection vulnerability in F5 products |
On BIG-IP versions 16.0.x before 126.96.36.199, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP.
| 7.2 |