Vulnerabilities > F5
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-04-23 | CVE-2020-5865 | Cleartext Transmission of Sensitive Information vulnerability in multiple products In versions prior to 3.3.0, the NGINX Controller is configured to communicate with its Postgres database server over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks. | 5.8 |
| 2020-04-23 | CVE-2020-5864 | Improper Certificate Validation vulnerability in F5 Nginx Controller In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default. | 5.8 |
| 2020-03-27 | CVE-2020-5863 | In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts. | 7.5 |
| 2020-03-27 | CVE-2020-5862 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.1.0-15.1.0.1, 15.0.0-15.0.1.1, and 14.1.0-14.1.2.2, under certain conditions, TMM may crash or stop processing new traffic with the DPDK/ENA driver on AWS systems while sending traffic. | 5.0 |
| 2020-03-27 | CVE-2020-5861 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in F5 products On BIG-IP 12.1.0-12.1.5, the TMM process may produce a core file in some cases when Ram Cache incorrectly optimizes stored data resulting in memory errors. | 5.0 |
| 2020-03-27 | CVE-2020-5860 | Inadequate Encryption Strength vulnerability in F5 products On BIG-IP 15.0.0-15.1.0.2, 14.1.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5.1, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, in a High Availability (HA) network failover in Device Service Cluster (DSC), the failover service does not require a strong form of authentication and HA network failover traffic is not encrypted by Transport Layer Security (TLS). | 6.8 |
| 2020-03-27 | CVE-2020-5859 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.1.0.1, specially formatted HTTP/3 messages may cause TMM to produce a core file. | 5.0 |
| 2020-03-27 | CVE-2020-5858 | Improper Privilege Management vulnerability in F5 products On BIG-IP 15.0.0-15.0.1.2, 14.1.0-14.1.2.2, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1 and BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, users with non-administrator roles (for example, Guest or Resource Administrator) with tmsh shell access can execute arbitrary commands with elevated privilege via a crafted tmsh command. | 4.6 |
| 2020-03-27 | CVE-2020-5857 | Improper Input Validation vulnerability in F5 products On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, undisclosed HTTP behavior may lead to a denial of service. | 5.0 |
| 2020-02-21 | CVE-2013-3587 | Information Exposure vulnerability in F5 products The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929. | 5.9 |