Vulnerabilities > F5 > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-03-04 CVE-2025-1695 Infinite Loop vulnerability in F5 Nginx
In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization.
network
low complexity
f5 CWE-835
5.3
2024-11-06 CVE-2024-10318 Session Fixation vulnerability in F5 products
A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time.
network
low complexity
f5 CWE-384
5.4
2024-08-22 CVE-2024-7634 Path Traversal vulnerability in F5 Nginx Agent and Nginx Instance Manager
NGINX Agent's "config_dirs" restriction feature allows a highly privileged attacker to gain the ability to write/overwrite files outside of the designated secure directory.
network
low complexity
f5 CWE-22
4.9
2024-08-14 CVE-2024-37028 Improper Authentication vulnerability in F5 Big-Ip Next Central Manager
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5 CWE-287
5.3
2024-08-14 CVE-2024-41719 Information Exposure Through Log Files vulnerability in F5 Big-Ip Next Central Manager
When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealth credentials will be logged in the BIG-IP Central Manager logs.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
local
low complexity
f5 CWE-532
5.5
2024-08-14 CVE-2024-41723 Unspecified vulnerability in F5 products
Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
network
low complexity
f5
4.3
2024-08-14 CVE-2024-7347 Out-of-bounds Read vulnerability in F5 Nginx Open Source and Nginx Plus
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file.
local
high complexity
f5 CWE-125
4.7
2024-05-29 CVE-2024-31079 Out-of-bounds Write vulnerability in multiple products
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact.
network
high complexity
f5 fedoraproject CWE-787
4.8
2024-05-29 CVE-2024-32760 Out-of-bounds Write vulnerability in multiple products
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
network
low complexity
f5 fedoraproject CWE-787
6.5
2024-05-29 CVE-2024-34161 Use After Free vulnerability in multiple products
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
network
low complexity
f5 fedoraproject CWE-416
5.3