Vulnerabilities > F5 > BIG IP Access Policy Manager > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-01-25 CVE-2022-23029 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in F5 products
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-367
5.3
2022-01-25 CVE-2022-23030 Resource Exhaustion vulnerability in F5 products
On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization.
network
low complexity
f5 CWE-400
5.3
2022-01-25 CVE-2022-23032 Origin Validation Error vulnerability in F5 Big-Ip Access Policy Manager
In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack.
network
low complexity
f5 CWE-346
5.3
2021-09-27 CVE-2021-23054 Cross-site Scripting vulnerability in F5 Big-Ip Access Policy Manager
On version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23027 Cross-site Scripting vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23043 Path Traversal vulnerability in F5 products
On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files.
network
low complexity
f5 CWE-22
6.5
2021-09-14 CVE-2021-23046 Information Exposure Through Log Files vulnerability in F5 Big-Ip Access Policy Manager
On all versions of Guided Configuration before 8.0.0, when a configuration that contains secure properties is created and deployed from Access Guided Configuration (AGC), secure properties are logged in restnoded logs.
network
low complexity
f5 CWE-532
4.9
2021-09-14 CVE-2021-23041 Cross-site Scripting vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23047 Resource Exhaustion vulnerability in F5 Big-Ip Access Policy Manager
On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, and all versions of 13.1.x, 12.1.x and 11.6.x, when BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use.
network
low complexity
f5 CWE-400
5.3
2021-09-14 CVE-2021-23052 Open Redirect vulnerability in F5 Big-Ip Access Policy Manager
On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy.
network
low complexity
f5 CWE-601
6.1