Vulnerabilities > F5 > BIG IP Access Policy Manager > 17.1.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-26 | CVE-2023-46747 | Missing Authentication for Critical Function vulnerability in F5 products Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 9.8 |
| 2023-10-26 | CVE-2023-46748 | SQL Injection vulnerability in F5 products An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 8.8 |
| 2023-10-10 | CVE-2023-44487 | Resource Exhaustion vulnerability in multiple products The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 7.5 |
| 2023-10-10 | CVE-2023-40534 | Memory Leak vulnerability in F5 products When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 7.5 |
| 2023-10-10 | CVE-2023-41373 | Path Traversal vulnerability in F5 products A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. | 9.9 |
| 2023-10-10 | CVE-2023-5450 | Insufficient Verification of Data Authenticity vulnerability in F5 Big-Ip Access Policy Manager An insufficient verification of data vulnerability exists in BIG-IP Edge Client Installer on macOS that may allow an attacker elevation of privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 7.8 |
| 2023-09-27 | CVE-2023-43124 | Cleartext Transmission of Sensitive Information vulnerability in F5 products BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 7.1 |
| 2023-09-27 | CVE-2023-43125 | Cleartext Transmission of Sensitive Information vulnerability in F5 products BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 8.2 |
| 2023-08-02 | CVE-2023-36858 | Insufficient Verification of Data Authenticity vulnerability in F5 products An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 5.5 |
| 2023-08-02 | CVE-2023-38138 | Cross-site Scripting vulnerability in F5 products A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 6.1 |