Vulnerabilities > F5

DATE CVE VULNERABILITY TITLE RISK
2021-06-10 CVE-2021-23022 Incorrect Permission Assignment for Critical Resource vulnerability in F5 products
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions.
local
low complexity
f5 CWE-732
7.2
2021-06-10 CVE-2021-23023 Uncontrolled Search Path Element vulnerability in F5 Big-Ip Access Policy Manager
On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer.
local
f5 CWE-427
6.9
2021-06-10 CVE-2021-23024 Unspecified vulnerability in F5 Big-Iq Centralized Management
On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages.
network
low complexity
f5
critical
9.0
2021-06-01 CVE-2021-23019 Insufficiently Protected Credentials vulnerability in F5 Nginx Controller
The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
local
f5 CWE-522
6.9
2021-06-01 CVE-2021-23020 USE of Insufficiently Random Values vulnerability in F5 Nginx Controller
The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys.
local
low complexity
f5 CWE-330
2.1
2021-06-01 CVE-2021-23021 Incorrect Permission Assignment for Critical Resource vulnerability in F5 Nginx Controller
The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
local
low complexity
f5 CWE-732
2.1
2021-06-01 CVE-2021-23018 Cleartext Transmission of Sensitive Information vulnerability in F5 Nginx Controller
Intra-cluster communication does not use TLS.
network
f5 CWE-319
5.8
2021-05-10 CVE-2021-23009 Infinite Loop vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic.
network
low complexity
f5 CWE-835
5.0
2021-05-10 CVE-2021-23010 Unspecified vulnerability in F5 Big-Ip Application Security Manager
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ASM bd process may produce a core file.
network
low complexity
f5
5.0
2021-05-10 CVE-2021-23012 Command Injection vulnerability in F5 products
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP.
local
low complexity
f5 CWE-77
7.2