Vulnerabilities > F5 > BIG IP Policy Enforcement Manager > High

DATE CVE VULNERABILITY TITLE RISK
2017-10-20 CVE-2017-6144 Improper Certificate Validation vulnerability in F5 Big-Ip Policy Enforcement Manager 12.1.0/12.1.1/12.1.2
In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified.
network
high complexity
f5 CWE-295
7.4
2017-05-11 CVE-2016-7476 Improper Input Validation vulnerability in F5 products
The Traffic Management Microkernel (TMM) in F5 BIG-IP LTM, AAM, AFM, APM, ASM, GTM, Link Controller, PEM, PSM, and WebSafe 11.6.0 before 11.6.0 HF6, 11.5.0 before 11.5.3 HF2, and 11.3.0 before 11.4.1 HF10 may suffer from a memory leak while handling certain types of TCP traffic.
network
low complexity
f5 CWE-20
7.5
2017-05-10 CVE-2016-9250 Permissions, Privileges, and Access Controls vulnerability in F5 products
In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism.
network
low complexity
f5 CWE-264
7.5
2017-05-09 CVE-2016-9256 Race Condition vulnerability in F5 products
In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request.
network
high complexity
f5 CWE-362
7.5
2017-05-09 CVE-2016-9253 Improper Input Validation vulnerability in F5 products
In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile.
network
low complexity
f5 CWE-20
7.5
2017-05-09 CVE-2016-9251 Permissions, Privileges, and Access Controls vulnerability in F5 products
In F5 BIG-IP 12.0.0 through 12.1.2, an authenticated attacker may be able to cause an escalation of privileges through a crafted iControl REST connection.
network
low complexity
f5 CWE-264
8.8
2017-05-01 CVE-2017-6128 Unspecified vulnerability in F5 products
An attacker may be able to cause a denial-of-service (DoS) attack against the sshd component in F5 BIG-IP, Enterprise Manager, BIG-IQ, and iWorkflow.
network
low complexity
f5
7.5
2017-03-27 CVE-2016-9252 Data Processing Errors vulnerability in F5 products
The Traffic Management Microkernel (TMM) in F5 BIG-IP before 11.5.4 HF3, 11.6.x before 11.6.1 HF2 and 12.x before 12.1.2 does not properly handle minimum path MTU options for IPv6, which allows remote attackers to cause a denial-of-service (DoS) through unspecified vectors.
network
low complexity
f5 CWE-19
7.5
2017-02-09 CVE-2016-9244 Information Exposure vulnerability in F5 products
A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory.
network
low complexity
f5 CWE-200
7.5
2017-01-31 CVE-2016-9249 Improper Input Validation vulnerability in F5 products
An undisclosed traffic pattern received by a BIG-IP Virtual Server with TCP Fast Open enabled may cause the Traffic Management Microkernel (TMM) to restart, resulting in a Denial-of-Service (DoS).
network
low complexity
f5 CWE-20
7.5