Vulnerabilities > F5

DATE CVE VULNERABILITY TITLE RISK
2022-02-14 CVE-2021-46462 Unspecified vulnerability in F5 NJS
njs through 0.7.1, used in NGINX, was discovered to contain a segmentation violation via njs_object_set_prototype in /src/njs_object.c.
network
low complexity
f5
7.5
2022-02-14 CVE-2021-46463 Type Confusion vulnerability in F5 NJS
njs through 0.7.1, used in NGINX, was discovered to contain a control flow hijack caused by a Type Confusion vulnerability in njs_promise_perform_then().
network
low complexity
f5 CWE-843
critical
9.8
2022-02-14 CVE-2022-25139 Use After Free vulnerability in F5 NJS
njs through 0.7.0, used in NGINX, was discovered to contain a heap use-after-free in njs_await_fulfilled.
network
low complexity
f5 CWE-416
critical
9.8
2022-01-25 CVE-2022-23008 Cross-site Scripting vulnerability in F5 Nginx Controller API Management 3.18.0/3.19.0
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances.
network
low complexity
f5 CWE-79
5.4
2022-01-25 CVE-2022-23009 Incorrect Authorization vulnerability in F5 Big-Iq Centralized Management 8.0.0
On BIG-IQ Centralized Management 8.x before 8.1.0, an authenticated administrative role user on a BIG-IQ managed BIG-IP device can access other BIG-IP devices managed by the same BIG-IQ system.
network
low complexity
f5 CWE-863
7.2
2022-01-25 CVE-2022-23010 Improper Resource Shutdown or Release vulnerability in F5 products
On BIG-IP versions 16.x before 16.1.0, 15.1.x before 15.1.4.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, when a FastL4 profile and an HTTP profile are configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.
network
low complexity
f5 CWE-404
7.5
2022-01-25 CVE-2022-23011 Incorrect Calculation vulnerability in F5 products
On certain hardware BIG-IP platforms, in version 15.1.x before 15.1.4 and 14.1.x before 14.1.3, virtual servers may stop responding while processing TCP traffic due to an issue in the SYN Cookie Protection feature.
network
low complexity
f5 CWE-682
7.5
2022-01-25 CVE-2022-23012 Double Free vulnerability in F5 products
On BIG-IP versions 15.1.x before 15.1.4.1 and 14.1.x before 14.1.4.5, when the HTTP/2 profile is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-415
7.5
2022-01-25 CVE-2022-23013 Cross-site Scripting vulnerability in F5 products
On BIG-IP DNS & GTM version 16.x before 16.1.0, 15.1.x before 15.1.4, 14.1.x before 14.1.4.4, and all versions of 13.1.x, 12.1.x, and 11.6.x, a DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user.
network
low complexity
f5 CWE-79
8.8
2022-01-25 CVE-2022-23014 Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager
On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.
network
low complexity
f5 CWE-20
6.5