Vulnerabilities > F5 > BIG IP Global Traffic Manager > High

DATE CVE VULNERABILITY TITLE RISK
2024-08-14 CVE-2024-39778 Unspecified vulnerability in F5 products
When a stateless virtual server is configured on BIG-IP system with a High-Speed Bridge (HSB), undisclosed requests can cause TMM to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
7.5
2024-08-14 CVE-2024-41164 NULL Pointer Dereference vulnerability in F5 products
When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed traffic along with conditions beyond the attackers control can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-476
7.5
2024-08-14 CVE-2024-41727 Allocation of Resources Without Limits or Throttling vulnerability in F5 products
In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC, undisclosed traffic can cause an increase in memory resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-770
7.5
2023-11-21 CVE-2023-45886 The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.
network
low complexity
f5 ipinfusion
7.5
2023-10-26 CVE-2023-46748 SQL Injection vulnerability in F5 products
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
network
low complexity
f5 CWE-89
8.8
2023-10-10 CVE-2023-44487 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. 7.5
2022-12-07 CVE-2022-41622 Cross-Site Request Forgery (CSRF) vulnerability in F5 products
In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-352
8.8
2022-12-07 CVE-2022-41800 Command Injection vulnerability in F5 products
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint.
network
low complexity
f5 CWE-77
8.7
2022-10-19 CVE-2022-36795 Unspecified vulnerability in F5 products
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x before 14.1.5.1, when an LTM TCP profile with Auto Receive Window Enabled is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.
network
low complexity
f5
7.5
2022-10-19 CVE-2022-41624 Unspecified vulnerability in F5 products
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.
network
low complexity
f5
7.5