Vulnerabilities > F5 > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-05 | CVE-2022-28708 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, when a BIG-IP DNS resolver-enabled, HTTP-Explicit or SOCKS profile is configured on a virtual server, an undisclosed DNS response can cause the Traffic Management Microkernel (TMM) process to terminate. | 5.9 |
| 2022-05-05 | CVE-2022-28859 | Information Exposure Through Log Files vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1 and 14.1.x versions prior to 14.1.4.6, when installing Net HSM, the scripts (nethsm-safenet-install.sh and nethsm-thales-install.sh) expose the Net HSM partition password. | 6.5 |
| 2022-05-05 | CVE-2022-29474 | Path Traversal vulnerability in F5 products On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, a directory traversal vulnerability exists in iControl SOAP that allows an authenticated attacker with at least guest role privileges to read wsdl files in the BIG-IP file system. | 4.3 |
| 2022-05-05 | CVE-2022-29479 | Improper Input Validation vulnerability in F5 products On F5 BIG-IP 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, and F5 BIG-IQ Centralized Management all versions of 8.x and 7.x, when an IPv6 self IP address is configured and the ipv6.strictcompliance database key is enabled (disabled by default) on a BIG-IP system, undisclosed packets may cause decreased performance. | 5.3 |
| 2022-05-05 | CVE-2022-29480 | Resource Exhaustion vulnerability in F5 products On F5 BIG-IP 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when multiple route domains are configured, undisclosed requests to big3d can cause an increase in CPU resource utilization. | 5.3 |
| 2022-04-21 | CVE-2021-23055 | Unspecified vulnerability in F5 Nginx Ingress Controller On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. | 6.5 |
| 2022-04-15 | CVE-2022-28049 | NULL Pointer Dereference vulnerability in F5 NJS 0.7.2 NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c. | 5.5 |
| 2022-01-25 | CVE-2022-23008 | Cross-site Scripting vulnerability in F5 Nginx Controller API Management 3.18.0/3.19.0 On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. | 5.4 |
| 2022-01-25 | CVE-2022-23014 | Improper Input Validation vulnerability in F5 Big-Ip Access Policy Manager On versions 16.1.x before 16.1.2 and 15.1.x before 15.1.4.1, when BIG-IP APM portal access is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 6.5 |
| 2022-01-25 | CVE-2022-23023 | Resource Exhaustion vulnerability in F5 products On BIG-IP version 16.1.x before 16.1.2.1, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x and 12.1.x, and BIG-IQ all versions of 8.x and 7.x, undisclosed requests by an authenticated iControl REST user can cause an increase in memory resource utilization. | 6.5 |