Vulnerabilities > F5 > BIG IP Application Acceleration Manager

DATE CVE VULNERABILITY TITLE RISK
2023-02-01 CVE-2023-22374 Use of Externally-Controlled Format String vulnerability in F5 products
A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code.
network
high complexity
f5 CWE-134
8.5
2023-02-01 CVE-2023-22418 Open Redirect vulnerability in F5 products
On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy.
network
low complexity
f5 CWE-601
6.1
2023-02-01 CVE-2023-22422 Classic Buffer Overflow vulnerability in F5 products
On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, when a HTTP profile with the non-default Enforcement options of Enforce HTTP Compliance and Unknown Methods: Reject are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-120
7.5
2023-02-01 CVE-2023-22664 Resource Exhaustion vulnerability in F5 products
On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-400
7.5
2023-02-01 CVE-2023-22842 Out-of-bounds Write vulnerability in F5 products
On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-787
7.5
2023-02-01 CVE-2023-23555 Improper Initialization vulnerability in F5 products
On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-665
7.5
2022-12-07 CVE-2022-41622 Cross-Site Request Forgery (CSRF) vulnerability in F5 products
In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-352
8.8
2022-12-07 CVE-2022-41800 Command Injection vulnerability in F5 products
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
network
low complexity
f5 CWE-77
8.7
2022-10-19 CVE-2022-36795 Incorrect Calculation vulnerability in F5 products
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x before 14.1.5.1, when an LTM TCP profile with Auto Receive Window Enabled is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.
network
low complexity
f5 CWE-682
7.5
2022-10-19 CVE-2022-41624 Memory Leak vulnerability in F5 products
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-401
7.5