This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor f5 First view 2018-03-22
Product Big-Ip Policy Enforcement Manager Last view 2024-08-14
Version 13.0.0 Type Application
Update hf1  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:f5:big-ip_policy_enforcement_manager

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
7.5 2024-08-14 CVE-2024-41727

In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC, undisclosed traffic can cause an increase in memory resource utilization. Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
4.3 2024-08-14 CVE-2024-41723

Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
7.5 2024-08-14 CVE-2024-41164

When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed traffic along with conditions beyond the attackers control can cause TMM to terminate.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
7.5 2024-08-14 CVE-2024-39778

When a stateless virtual server is configured on BIG-IP system with a High-Speed Bridge (HSB), undisclosed requests can cause TMM to terminate.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
7.5 2024-02-14 CVE-2024-24775

When a virtual server is enabled with VLAN group and SNAT listener is configured, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
7.5 2024-02-14 CVE-2024-23982

When a BIG-IP PEM classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This issue affects classification engines using signatures released between 09-08-2022 and 02-16-2023. See the table in the F5 Security Advisory for a complete list of affected classification signature files.  NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated
7.5 2024-02-14 CVE-2024-23979

When SSL Client Certificate LDAP or Certificate Revocation List Distribution Point (CRLDP) authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
4.4 2024-02-14 CVE-2024-23976

When running in Appliance mode, an authenticated attacker assigned the Administrator role may be able to bypass Appliance mode restrictions utilizing iAppsLX templates on a BIG-IP system. Â Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
7.5 2024-02-14 CVE-2024-23314

When HTTP/2 is configured on BIG-IP or BIG-IP Next SPK systems, undisclosed responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
6.5 2024-02-14 CVE-2024-22389

When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
9.6 2024-02-14 CVE-2024-22093

When running in appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on multi-bladed systems. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
6.7 2024-02-14 CVE-2024-21782

BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
8.8 2023-10-26 CVE-2023-46748

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which

may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.

 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
9.8 2023-10-26 CVE-2023-46747

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
0 2023-10-10 CVE-2023-45219

Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
7.5 2023-10-10 CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
0 2023-10-10 CVE-2023-43746

When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0 2023-10-10 CVE-2023-43611

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
0 2023-10-10 CVE-2023-43485

When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0 2023-10-10 CVE-2023-42768

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
6.5 2023-10-10 CVE-2023-41964

The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0 2023-10-10 CVE-2023-41373

A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary.Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0 2023-10-10 CVE-2023-41085

When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate.Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
0 2023-10-10 CVE-2023-40542

When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
0 2023-10-10 CVE-2023-40537

An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform.Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
12% (20) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
12% (20) CWE-20 Improper Input Validation
9% (15) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
5% (9) CWE-476 NULL Pointer Dereference
3% (6) CWE-770 Allocation of Resources Without Limits or Throttling
3% (6) CWE-319 Cleartext Transmission of Sensitive Information
3% (6) CWE-269 Improper Privilege Management
3% (5) CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory L...
3% (5) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...
2% (4) CWE-362 Race Condition
2% (4) CWE-352 Cross-Site Request Forgery (CSRF)
2% (4) CWE-326 Inadequate Encryption Strength
1% (3) CWE-787 Out-of-bounds Write
1% (3) CWE-434 Unrestricted Upload of File with Dangerous Type
1% (3) CWE-295 Certificate Issues
1% (3) CWE-287 Improper Authentication
1% (3) CWE-200 Information Exposure
1% (3) CWE-77 Improper Sanitization of Special Elements used in a Command ('Comma...
1% (3) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
1% (2) CWE-772 Missing Release of Resource after Effective Lifetime
1% (2) CWE-732 Incorrect Permission Assignment for Critical Resource
1% (2) CWE-668 Exposure of Resource to Wrong Sphere
1% (2) CWE-404 Improper Resource Shutdown or Release
1% (2) CWE-203 Information Exposure Through Discrepancy
1% (2) CWE-125 Out-of-bounds Read

SAINT Exploits

Description Link
F5 BIG-IP iControl REST vulnerability More info here

Snort® IPS/IDS

Date Description
2020-08-11 F5 BIG-IP Traffic Management User Interface remote code execution attempt
RuleID : 54484 - Type : SERVER-WEBAPP - Revision : 2
2020-08-06 F5 BIG-IP Traffic Management User Interface remote code execution attempt
RuleID : 54462 - Type : SERVER-WEBAPP - Revision : 3
2020-07-07 lodash defaultsDeep prototype pollution attempt
RuleID : 54184 - Type : SERVER-OTHER - Revision : 1

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-11 Name: The remote Virtuozzo host is missing multiple security updates.
File: Virtuozzo_VZA-2018-075.nasl - Type: ACT_GATHER_INFO
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-50075276e8.nasl - Type: ACT_GATHER_INFO
2018-12-21 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL61620494.nasl - Type: ACT_GATHER_INFO
2018-12-21 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL23328310.nasl - Type: ACT_GATHER_INFO
2018-12-14 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL95343321.nasl - Type: ACT_GATHER_INFO
2018-12-13 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL42027747.nasl - Type: ACT_GATHER_INFO
2018-12-11 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1406.nasl - Type: ACT_GATHER_INFO
2018-12-05 Name: The remote PhotonOS host is missing multiple security updates.
File: PhotonOS_PHSA-2018-2_0-0101.nasl - Type: ACT_GATHER_INFO
2018-11-16 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-3083.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL37442533.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL28003839.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL41704442.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL43121447.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL43625118.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL44462254.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL45320419.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL45611803.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL46121888.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL46940010.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL49440608.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL51754851.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL53931245.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL54562183.nasl - Type: ACT_GATHER_INFO
2018-11-02 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL62750376.nasl - Type: ACT_GATHER_INFO