Vulnerabilities > F5

DATE CVE VULNERABILITY TITLE RISK
2021-05-10 CVE-2021-23009 Infinite Loop vulnerability in F5 products
On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic.
network
low complexity
f5 CWE-835
7.5
2021-05-10 CVE-2021-23010 Unspecified vulnerability in F5 Big-Ip Application Security Manager
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ASM bd process may produce a core file.
network
low complexity
f5
7.5
2021-05-10 CVE-2021-23012 OS Command Injection vulnerability in F5 products
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP.
local
low complexity
f5 CWE-78
8.2
2021-05-10 CVE-2021-23014 Missing Authorization vulnerability in F5 products
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files.
network
low complexity
f5 CWE-862
8.8
2021-05-10 CVE-2021-23015 Incorrect Authorization vulnerability in F5 products
On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints.
network
low complexity
f5 CWE-863
7.2
2021-05-10 CVE-2021-23016 Unspecified vulnerability in F5 Big-Ip Access Policy Manager
On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server.
network
low complexity
f5
5.3
2021-05-10 CVE-2021-23008 Improper Authentication vulnerability in F5 Big-Ip Access Policy Manager
On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of 16.0.x and 11.6.x., BIG-IP APM AD (Active Directory) authentication can be bypassed via a spoofed AS-REP (Kerberos Authentication Service Response) response sent over a hijacked KDC (Kerberos Key Distribution Center) connection or from an AD server compromised by an attacker.
network
low complexity
f5 CWE-287
critical
9.8
2021-05-10 CVE-2021-23011 Resource Exhaustion vulnerability in F5 products
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, when the BIG-IP system is buffering packet fragments for reassembly, the Traffic Management Microkernel (TMM) may consume an excessive amount of resources, eventually leading to a restart and failover event.
network
low complexity
f5 CWE-400
7.5
2021-05-10 CVE-2021-23013 Unspecified vulnerability in F5 products
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, the Traffic Management Microkernel (TMM) may stop responding when processing Stream Control Transmission Protocol (SCTP) traffic under certain conditions.
network
low complexity
f5
7.5
2021-03-31 CVE-2021-23007 Unspecified vulnerability in F5 products
On BIG-IP versions 14.1.4 and 16.0.1.1, when the Traffic Management Microkernel (TMM) process handles certain undisclosed traffic, it may start dropping all fragmented IP traffic.
network
low complexity
f5
5.3