Vulnerabilities > F5 > BIG IP Advanced WEB Application Firewall > High

DATE CVE VULNERABILITY TITLE RISK
2022-10-19 CVE-2022-41691 Unspecified vulnerability in F5 Big-Ip Application Security Manager
When a BIG-IP Advanced WAF/ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.
network
low complexity
f5
7.5
2022-10-19 CVE-2022-41836 Unspecified vulnerability in F5 products
When an 'Attack Signature False Positive Mode' enabled security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.
network
low complexity
f5
7.5
2022-05-05 CVE-2022-26890 Unspecified vulnerability in F5 products
On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate.
network
low complexity
f5
7.5
2022-05-05 CVE-2022-27806 Unspecified vulnerability in F5 products
On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP Advanced WAF, ASM, and ASM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, when running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing command injection vulnerabilities in undisclosed URIs in F5 BIG-IP Guided Configuration.
network
low complexity
f5
7.2
2022-05-05 CVE-2022-29491 Unspecified vulnerability in F5 products
On F5 BIG-IP LTM, Advanced WAF, ASM, or APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a virtual server is configured with HTTP, TCP on one side (client/server), and DTLS on the other (server/client), undisclosed requests can cause the TMM process to terminate.
network
low complexity
f5
7.5
2022-01-25 CVE-2022-23025 NULL Pointer Dereference vulnerability in F5 products
On BIG-IP version 16.1.x before 16.1.1, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, when a SIP ALG profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-476
7.5
2021-11-11 CVE-2002-20001 Resource Exhaustion vulnerability in multiple products
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack.
network
low complexity
balasys siemens suse f5 hpe stormshield CWE-400
7.5
2021-09-14 CVE-2021-23029 Server-Side Request Forgery (SSRF) vulnerability in F5 products
On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility.
network
low complexity
f5 CWE-918
8.8
2021-09-14 CVE-2021-23026 Cross-Site Request Forgery (CSRF) vulnerability in F5 products
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
network
low complexity
f5 CWE-352
8.8
2021-09-14 CVE-2021-23025 OS Command Injection vulnerability in F5 products
On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.
network
low complexity
f5 CWE-78
8.8