Vulnerabilities > F5 > BIG IQ Centralized Management > 7.0.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-26340 | Incorrect Permission Assignment for Critical Resource vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, an authenticated, high-privileged attacker with no bash access may be able to access Certificate and Key files using Secure Copy (SCP) protocol from a remote system. | 4.0 |
| 2022-05-05 | CVE-2022-29479 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, when an IPv6 self IP address is configured and the ipv6.strictcompliance database key is enabled (disabled by default) on a BIG-IP system, undisclosed packets may cause decreased performance. | 5.0 |
| 2022-01-25 | CVE-2022-23023 | Resource Exhaustion vulnerability in F5 products On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. | 4.0 |
| 2021-09-14 | CVE-2021-23026 | Cross-Site Request Forgery (CSRF) vulnerability in F5 products BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. | 6.8 |
| 2021-06-10 | CVE-2021-23024 | Unspecified vulnerability in F5 Big-Iq Centralized Management On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. | 9.0 |
| 2021-03-31 | CVE-2021-23006 | Cross-site Scripting vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. | 4.3 |
| 2021-03-31 | CVE-2021-23005 | Unspecified vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol. | 6.4 |
| 2021-03-31 | CVE-2021-22997 | Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. | 5.0 |
| 2021-03-31 | CVE-2021-22996 | Unspecified vulnerability in F5 Big-Iq Centralized Management 7.0.0/7.1.0/7.1.0.1 On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. | 5.0 |
| 2021-03-31 | CVE-2021-22995 | Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon. | 5.0 |