Vulnerabilities > F5 > BIG IP Global Traffic Manager

DATE CVE VULNERABILITY TITLE RISK
2023-10-10 CVE-2023-40542 Allocation of Resources Without Limits or Throttling vulnerability in F5 products
When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-770
7.5
2023-10-10 CVE-2023-41085 Improper Handling of Exceptional Conditions vulnerability in F5 products
When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-755
7.5
2023-10-10 CVE-2023-41373 Path Traversal vulnerability in F5 products
A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system.
network
low complexity
f5 CWE-22
critical
9.9
2023-10-10 CVE-2023-41964 Cleartext Storage of Sensitive Information vulnerability in F5 products
The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-312
6.5
2023-10-10 CVE-2023-42768 Insufficient Session Expiration vulnerability in F5 products
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST.
network
low complexity
f5 CWE-613
7.2
2023-10-10 CVE-2023-43485 Information Exposure Through Log Files vulnerability in F5 products
When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
5.5
2023-10-10 CVE-2023-43611 Improper Verification of Cryptographic Signature vulnerability in F5 products
The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process.  This vulnerability is due to an incomplete fix for CVE-2023-38418.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
local
low complexity
f5 CWE-347
7.8
2023-10-10 CVE-2023-43746 Privilege Defined With Unsafe Actions vulnerability in F5 products
When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system.  A successful exploit can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-267
8.7
2023-10-10 CVE-2023-45219 Unspecified vulnerability in F5 products
Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5
4.4
2023-08-02 CVE-2023-38138 Cross-site Scripting vulnerability in F5 products
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-79
6.1