Vulnerabilities > F5
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-01 | CVE-2021-23019 | Insufficiently Protected Credentials vulnerability in F5 Nginx Controller The NGINX Controller 2.0.0 thru 2.9.0 and 3.x before 3.15.0 Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package. | 7.8 |
| 2021-06-01 | CVE-2021-23020 | Use of Insufficiently Random Values vulnerability in F5 Nginx Controller The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | 5.5 |
| 2021-06-01 | CVE-2021-23021 | Incorrect Permission Assignment for Critical Resource vulnerability in F5 Nginx Controller The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644. | 5.5 |
| 2021-06-01 | CVE-2021-23018 | Cleartext Transmission of Sensitive Information vulnerability in F5 Nginx Controller Intra-cluster communication does not use TLS. | 7.4 |
| 2021-05-10 | CVE-2021-23009 | Infinite Loop vulnerability in F5 products On BIG-IP version 16.0.x before 16.0.1.1 and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. | 7.5 |
| 2021-05-10 | CVE-2021-23010 | Unspecified vulnerability in F5 Big-Ip Application Security Manager On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and 12.1.x before 12.1.5.3, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ASM bd process may produce a core file. | 7.5 |
| 2021-05-10 | CVE-2021-23012 | OS Command Injection vulnerability in F5 products On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute arbitrary bash commands on BIG-IP. | 8.2 |
| 2021-05-10 | CVE-2021-23014 | Missing Authorization vulnerability in F5 products On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. | 8.8 |
| 2021-05-10 | CVE-2021-23015 | Incorrect Authorization vulnerability in F5 products On BIG-IP 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.0.8 through 13.1.3.6, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. | 7.2 |
| 2021-05-10 | CVE-2021-23016 | Unspecified vulnerability in F5 Big-Ip Access Policy Manager On BIG-IP APM versions 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, and all versions of 16.0.x, 12.1.x, and 11.6.x, an attacker may be able to bypass APM's internal restrictions and retrieve static content that is hosted within APM by sending specifically crafted requests to an APM Virtual Server. | 5.3 |