Vulnerabilities > F5 > High

DATE CVE VULNERABILITY TITLE RISK
2018-10-08 CVE-2016-7475 Improper Input Validation vulnerability in F5 products
Under some circumstances on BIG-IP 12.0.0-12.1.0, 11.6.0-11.6.1, or 11.4.0-11.5.4 HF1, the Traffic Management Microkernel (TMM) may not properly clean-up pool member network connections when using SPDY or HTTP/2 virtual server profiles.
network
low complexity
f5 CWE-20
7.5
2018-09-13 CVE-2018-5549 Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager
On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and 13.1.0-13.1.0.3, APMD may core when processing SAML Assertion or response containing certain elements.
network
low complexity
f5 CWE-20
7.5
2018-09-13 CVE-2018-5545 Improper Input Validation vulnerability in F5 Websafe Alert Server
On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated user can execute code on the alert server by using a maliciously crafted payload.
network
low complexity
f5 CWE-20
8.8
2018-09-06 CVE-2018-5391 Improper Input Validation vulnerability in multiple products
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.
7.5
2018-08-17 CVE-2018-5547 Missing Authorization vulnerability in F5 Big-Ip Access Policy Manager Client 7.1.6/7.1.6.1/7.1.7
Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access.
local
low complexity
f5 CWE-862
7.8
2018-08-17 CVE-2018-5546 Incorrect Permission Assignment for Critical Resource vulnerability in F5 products
The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.
local
low complexity
f5 CWE-732
7.8
2018-08-06 CVE-2018-5390 Resource Exhaustion vulnerability in multiple products
Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service.
7.5
2018-07-31 CVE-2018-5544 Information Exposure vulnerability in F5 Big-Ip Access Policy Manager
When the F5 BIG-IP APM 13.0.0-13.1.1 or 12.1.0-12.1.3 renders certain pages (pages with a logon agent or a confirm box), the BIG-IP APM may disclose configuration information such as partition and agent names via URI parameters.
network
low complexity
f5 CWE-200
7.5
2018-07-31 CVE-2018-5543 Insufficiently Protected Credentials vulnerability in F5 Big-Ip Controller
The F5 BIG-IP Controller for Kubernetes 1.0.0-1.5.0 (k8s-bigip-crtl) passes BIG-IP username and password as command line parameters, which may lead to disclosure of the credentials used by the container.
network
low complexity
f5 CWE-522
8.8
2018-07-25 CVE-2018-5542 Improper Input Validation vulnerability in F5 products
F5 BIG-IP 13.0.0-13.0.1, 12.1.0-12.1.3.6, or 11.2.1-11.6.3.2 HTTPS health monitors do not validate the identity of the monitored server.
network
high complexity
f5 CWE-20
8.1