Vulnerabilities > F5 > BIG IP Access Policy Manager

DATE CVE VULNERABILITY TITLE RISK
2017-05-11 CVE-2016-7476 Improper Input Validation vulnerability in F5 products
The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, APM, ASM, GTM, Link Controller, PEM, PSM, and WebSafe 11.6.0 before 11.6.0 HF6, 11.5.0 before 11.5.3 HF2, and 11.3.0 before 11.4.1 HF10 may suffer from a memory leak while handling certain types of TCP traffic.
network
low complexity
f5 CWE-20
7.5
2017-05-10 CVE-2016-9250 Permissions, Privileges, and Access Controls vulnerability in F5 products
In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism.
network
low complexity
f5 CWE-264
7.5
2017-05-09 CVE-2017-6137 Unspecified vulnerability in F5 products
In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, and WebSafe 11.6.1 HF1, 12.0.0 HF3, 12.0.0 HF4, and 12.1.0 through 12.1.2, undisclosed traffic patterns received while software SYN cookie protection is engaged may cause a disruption of service to the Traffic Management Microkernel (TMM) on specific platforms and configurations.
network
high complexity
f5
5.9
2017-05-09 CVE-2017-0302 Range Error vulnerability in F5 Big-Ip Access Policy Manager
In F5 BIG-IP APM 12.0.0 through 12.1.2 and 13.0.0, an authenticated user with an established access session to the BIG-IP APM system may be able to cause a traffic disruption if the length of the requested URL is less than 16 characters.
network
high complexity
f5 CWE-118
5.3
2017-05-09 CVE-2016-9257 Cross-site Scripting vulnerability in F5 Big-Ip Access Policy Manager
In F5 BIG-IP APM 12.0.0 through 12.1.2, non-authenticated users may be able to inject JavaScript into a request that will then be rendered and executed in the context of the Administrative user when the Administrative user is viewing the Access System Logs, allowing the non-authenticated user to carry out a Cross Site Scripting (XSS) attack against the Administrative user.
network
low complexity
f5 CWE-79
6.1
2017-05-09 CVE-2016-9256 Race Condition vulnerability in F5 products
In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request.
network
high complexity
f5 CWE-362
7.5
2017-05-09 CVE-2016-9253 Improper Input Validation vulnerability in F5 products
In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile.
network
low complexity
f5 CWE-20
7.5
2017-05-09 CVE-2016-9251 Permissions, Privileges, and Access Controls vulnerability in F5 products
In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection.
network
low complexity
f5 CWE-264
8.8
2017-05-01 CVE-2017-6128 Unspecified vulnerability in F5 products
An attacker may be able to cause a denial-of-service (DoS) attack against the sshd component in F5 BIG-IP, Enterprise Manager, BIG-IQ, and iWorkflow.
network
low complexity
f5
7.5
2017-04-11 CVE-2016-7467 Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager
The TMM SSO plugin in F5 BIG-IP APM 12.0.0 - 12.1.1, 11.6.0 - 11.6.1 HF1, 11.5.4 - 11.5.4 HF2, when configured as a SAML Identity Provider with a Service Provider (SP) connector, might allow traffic to be disrupted or failover initiated when a malformed, signed SAML authentication request from an authenticated user is sent via the SP connector.
network
high complexity
f5 CWE-20
5.3