Vulnerabilities > F5 > BIG IQ Centralized Management > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-14 | CVE-2024-23314 | Unspecified vulnerability in F5 products When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 7.5 |
| 2024-02-14 | CVE-2024-23979 | Allocation of Resources Without Limits or Throttling vulnerability in F5 products When SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. | 7.5 |
| 2024-02-14 | CVE-2024-24775 | NULL Pointer Dereference vulnerability in F5 products When a virtual server is enabled with VLAN group and SNAT listener is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 7.5 |
| 2022-12-07 | CVE-2022-41622 | Cross-Site Request Forgery (CSRF) vulnerability in F5 products In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 8.8 |
| 2022-08-04 | CVE-2022-34844 | Unspecified vulnerability in F5 products In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP or BIG-IQ on Amazon Web Services (AWS) systems, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |
| 2022-01-25 | CVE-2022-23009 | Incorrect Authorization vulnerability in F5 Big-Iq Centralized Management 8.0.0 On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system. | 7.2 |
| 2021-11-11 | CVE-2002-20001 | Resource Exhaustion vulnerability in multiple products The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)at or D(HE)ater attack. | 7.5 |
| 2021-09-14 | CVE-2021-23026 | Cross-Site Request Forgery (CSRF) vulnerability in F5 products BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x and all versions of BIG-IQ 8.x, 7.x, and 6.x are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. | 8.8 |
| 2021-06-10 | CVE-2021-23024 | Unspecified vulnerability in F5 Big-Iq Centralized Management On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. | 7.2 |
| 2021-03-31 | CVE-2021-22997 | Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. | 7.5 |