Vulnerabilities > F5 > BIG IP Application Security Manager

DATE CVE VULNERABILITY TITLE RISK
2021-09-14 CVE-2021-23026 Cross-Site Request Forgery (CSRF) vulnerability in F5 products
BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
network
low complexity
f5 CWE-352
8.8
2021-09-14 CVE-2021-23027 Cross-site Scripting vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
low complexity
f5 CWE-79
6.1
2021-09-14 CVE-2021-23025 OS Command Injection vulnerability in F5 products
On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility.
network
low complexity
f5 CWE-78
8.8
2021-09-14 CVE-2021-23028 Improper Input Validation vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate.
network
low complexity
f5 CWE-20
7.5
2021-09-14 CVE-2021-23030 Improper Input Validation vulnerability in F5 Big-Ip Application Security Manager
On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.
network
low complexity
f5 CWE-20
7.5
2021-09-14 CVE-2021-23031 OS Command Injection vulnerability in F5 products
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility.
network
low complexity
f5 CWE-78
critical
9.9
2021-09-14 CVE-2021-23036 Improper Input Validation vulnerability in F5 products
On version 16.0.x before 16.0.1.2, when a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-20
7.5
2021-09-14 CVE-2021-23033 Unspecified vulnerability in F5 products
On BIG-IP Advanced WAF and BIG-IP ASM version 16.x before 16.1.0x, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate.
network
low complexity
f5
7.5
2021-09-14 CVE-2021-23034 Exposure of Resource to Wrong Sphere vulnerability in F5 products
On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.
network
low complexity
f5 CWE-668
7.5
2021-09-14 CVE-2021-23035 Unspecified vulnerability in F5 products
On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5
7.5