Vulnerabilities > F5

DATE CVE VULNERABILITY TITLE RISK
2023-11-21 CVE-2023-45886 The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.
network
low complexity
f5 ipinfusion
7.5
2023-10-26 CVE-2023-46747 Missing Authentication for Critical Function vulnerability in F5 products
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-306
critical
9.8
2023-10-26 CVE-2023-46748 SQL Injection vulnerability in F5 products
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-89
8.8
2023-10-10 CVE-2023-44487 Resource Exhaustion vulnerability in multiple products
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
7.5
2023-10-10 CVE-2023-39447 Information Exposure Through Log Files vulnerability in F5 products
When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
4.4
2023-10-10 CVE-2023-40534 Memory Leak vulnerability in F5 products
When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-401
7.5
2023-10-10 CVE-2023-40537 Insufficient Session Expiration vulnerability in F5 products
An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
high complexity
f5 CWE-613
8.1
2023-10-10 CVE-2023-40542 Allocation of Resources Without Limits or Throttling vulnerability in F5 products
When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-770
7.5
2023-10-10 CVE-2023-41085 Improper Handling of Exceptional Conditions vulnerability in F5 products
When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-755
7.5
2023-10-10 CVE-2023-41253 Information Exposure Through Log Files vulnerability in F5 Big-Ip Domain Name System
When on BIG-IP DNS or BIG-IP LTM enabled with DNS Services License, and a TSIG key is created, it is logged in plaintext in the audit log.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
5.5