Vulnerabilities > F5 > BIG IP Advanced WEB Application Firewall > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-01-25 CVE-2022-23026 Unrestricted Upload of File with Dangerous Type vulnerability in F5 products
On BIG-IP ASM & Advanced WAF version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, an authenticated user with low privileges, such as a guest, can upload data using an undisclosed REST endpoint causing an increase in disk resource utilization.
network
low complexity
f5 CWE-434
4.3
2022-01-25 CVE-2022-23027 Incorrect Comparison vulnerability in F5 products
On BIG-IP versions 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, 13.1.x beginning in 13.1.3.6, 12.1.5.3-12.1.6, and 11.6.5.2, when a FastL4 profile and an HTTP, FIX, and/or hash persistence profile are configured on the same virtual server, undisclosed requests can cause the virtual server to stop processing new client connections.
network
low complexity
f5 CWE-697
5.3
2022-01-25 CVE-2022-23029 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in F5 products
On BIG-IP version 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-367
5.3
2022-01-25 CVE-2022-23030 Resource Exhaustion vulnerability in F5 products
On version 16.1.x before 16.1.2, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when the BIG-IP Virtual Edition (VE) uses the ixlv driver (which is used in SR-IOV mode and requires Intel X710/XL710/XXV710 family of network adapters on the Hypervisor) and TCP Segmentation Offload configuration is enabled, undisclosed requests may cause an increase in CPU resource utilization.
network
low complexity
f5 CWE-400
5.3
2022-01-25 CVE-2022-23031 XXE vulnerability in F5 Big-Ip Application Security Manager
On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (TMUI), also referred to as the Configuration utility, that allows an authenticated high-privileged attacker to read local files and force BIG-IP to send HTTP requests.
network
low complexity
f5 CWE-611
4.9
2021-09-14 CVE-2021-23027 Cross-site Scripting vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23041 Cross-site Scripting vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23053 Allocation of Resources Without Limits or Throttling vulnerability in F5 products
On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database.
network
low complexity
f5 CWE-770
5.3
2021-03-31 CVE-2021-23007 Unspecified vulnerability in F5 products
On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic.
network
low complexity
f5
5.3
2021-03-31 CVE-2021-23001 Unrestricted Upload of File with Dangerous Type vulnerability in F5 products
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint.
network
low complexity
f5 CWE-434
4.3