Vulnerabilities > F5 > High

DATE CVE VULNERABILITY TITLE RISK
2020-04-30 CVE-2020-5876 Cleartext Transmission of Sensitive Information vulnerability in F5 products
On BIG-IP 15.0.0-15.0.1.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, a race condition exists where mcpd and other processes may make unencrypted connection attempts to a new configuration sync peer.
network
high complexity
f5 CWE-319
8.1
2020-04-30 CVE-2020-5875 Unspecified vulnerability in F5 products
On BIG-IP 15.0.0-15.0.1 and 14.1.0-14.1.2.3, under certain conditions, the Traffic Management Microkernel (TMM) may generate a core file and restart while processing SSL traffic with an HTTP/2 full proxy.
network
low complexity
f5
7.5
2020-04-30 CVE-2020-5874 Unspecified vulnerability in F5 Big-Ip Access Policy Manager
On BIG-IP APM 15.0.0-15.0.1.2, 14.1.0-14.1.2.3, and 14.0.0-14.0.1, in certain circumstances, an attacker sending specifically crafted requests to a BIG-IP APM virtual server may cause a disruption of service provided by the Traffic Management Microkernel(TMM).
network
low complexity
f5
7.5
2020-04-30 CVE-2020-5873 Unspecified vulnerability in F5 products
On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request.
network
low complexity
f5
7.2
2020-04-30 CVE-2020-5872 Unspecified vulnerability in F5 products
On BIG-IP 14.1.0-14.1.2.3, 14.0.0-14.0.1, 13.1.0-13.1.3.1, and 12.1.0-12.1.4.1, when processing TLS traffic with hardware cryptographic acceleration enabled on platforms with Intel QAT hardware, the Traffic Management Microkernel (TMM) may stop responding and cause a failover event.
network
low complexity
f5
7.5
2020-04-30 CVE-2020-5871 Unspecified vulnerability in F5 products
On BIG-IP 14.1.0-14.1.2.3, undisclosed requests can lead to a denial of service (DoS) when sent to BIG-IP HTTP/2 virtual servers.
network
low complexity
f5
7.5
2020-04-24 CVE-2020-5870 Missing Authentication for Critical Function vulnerability in F5 Big-Iq Centralized Management
In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization mechanisms do not use any form of authentication for connecting to the peer.
low complexity
f5 CWE-306
8.1
2020-04-23 CVE-2020-5867 Download of Code Without Integrity Check vulnerability in multiple products
In versions prior to 3.3.0, the NGINX Controller Agent installer script 'install.sh' uses HTTP instead of HTTPS to check and install packages
network
high complexity
f5 netapp CWE-494
8.1
2020-04-23 CVE-2020-5864 Improper Certificate Validation vulnerability in F5 Nginx Controller
In versions of NGINX Controller prior to 3.2.0, communication between NGINX Controller and NGINX Plus instances skip TLS verification by default.
network
high complexity
f5 CWE-295
7.4
2020-03-27 CVE-2020-5863 In NGINX Controller versions prior to 3.2.0, an unauthenticated attacker with network access to the Controller API can create unprivileged user accounts.
network
low complexity
f5 netapp
8.6