Vulnerabilities > F5 > BIG IP Domain Name System > 13.1.1.4

DATE CVE VULNERABILITY TITLE RISK
2019-07-03 CVE-2019-6632 Use of Insufficiently Random Values vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness.
local
low complexity
f5 CWE-330
5.5
5.5
2019-07-03 CVE-2019-6633 Unspecified vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions.
local
low complexity
f5
4.4
4.4
2019-07-03 CVE-2019-6625 Cross-site Scripting vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility.
network
low complexity
f5 CWE-79
6.1
6.1
2019-07-02 CVE-2019-6621 OS Command Injection vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user.
network
low complexity
f5 CWE-78
7.2
7.2
2019-07-02 CVE-2019-6620 OS Command Injection vulnerability in F5 products
On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user.
network
low complexity
f5 CWE-78
7.2
7.2
2019-07-01 CVE-2019-6642 Unspecified vulnerability in F5 products
In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, authenticated users with the ability to upload files (via scp, for example) can escalate their privileges to allow root shell access from within the TMOS Shell (tmsh) interface.
network
low complexity
f5
8.8
8.8
2019-06-19 CVE-2019-11479 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes.
network
low complexity
linux f5 canonical redhat CWE-770
7.5
7.5
2019-05-23 CVE-2019-12295 Uncontrolled Recursion vulnerability in multiple products
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash.
network
low complexity
wireshark debian canonical f5 CWE-674
7.5
7.5
2019-05-03 CVE-2019-6617 Improper Privilege Management vulnerability in F5 products
On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, a user with the Resource Administrator role is able to overwrite sensitive low-level files (such as /etc/passwd) using SFTP to modify user permissions, without Advanced Shell access.
network
low complexity
f5 CWE-269
6.5
6.5
2019-05-03 CVE-2019-6616 Unspecified vulnerability in F5 products
On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, administrative users with TMSH access can overwrite critical system files on BIG-IP which can result in bypass of whitelist / blacklist restrictions enforced by appliance mode.
network
low complexity
f5
7.2
7.2