15.1.5

DATE	CVE	VULNERABILITY TITLE	RISK
2024-02-14	CVE-2024-21782	OS Command Injection vulnerability in F5 products BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. local low complexity f5 CWE-78	6.7
2024-02-14	CVE-2024-22093	Command Injection vulnerability in F5 products When running in appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on multi-bladed systems. network low complexity f5 CWE-77 critical	9.6
2024-02-14	CVE-2024-22389	Unspecified vulnerability in F5 products When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device. network low complexity f5	6.5
2024-02-14	CVE-2024-23314	Unspecified vulnerability in F5 products When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated network low complexity f5	7.5
2024-02-14	CVE-2024-23976	Unspecified vulnerability in F5 products When running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions utilizing iAppsLX templates on a BIG-IP system. local low complexity f5	4.4
2024-02-14	CVE-2024-23979	Allocation of Resources Without Limits or Throttling vulnerability in F5 products When SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. network low complexity f5 CWE-770	7.5
2024-02-14	CVE-2024-24775	NULL Pointer Dereference vulnerability in F5 products When a virtual server is enabled with VLAN group and SNAT listener is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated network low complexity f5 CWE-476	7.5
2023-10-10	CVE-2023-44487	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. network low complexity ietf nghttp2 netty envoyproxy eclipse caddyserver golang f5 apache apple grpc microsoft nodejs dena facebook amazon debian kazu-yamamoto istio varnish-cache-project traefik projectcontour linkerd linecorp redhat fedoraproject netapp akka konghq jenkins openresty cisco	7.5
2023-10-10	CVE-2023-41964	Unspecified vulnerability in F5 products The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. network low complexity f5	6.5
2023-08-02	CVE-2023-38138	Unspecified vulnerability in F5 products A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. network low complexity f5	6.1