Summary
Detail | |||
---|---|---|---|
Vendor | f5 | First view | 2012-10-16 |
Product | Big-Ip Access Policy Manager | Last view | 2023-10-26 |
Version | 11.2.1 | Type | Application |
Update | * | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:f5:big-ip_access_policy_manager |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
8.8 | 2023-10-26 | CVE-2023-46748 | An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Â Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
9.8 | 2023-10-26 | CVE-2023-46747 | Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
7.8 | 2023-10-10 | CVE-2023-5450 | An insufficient verification of data vulnerability exists in BIG-IP Edge Client Installer on macOS that may allow an attacker elevation of privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
4.4 | 2023-10-10 | CVE-2023-45219 | Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.5 | 2023-10-10 | CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
8.7 | 2023-10-10 | CVE-2023-43746 | When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.8 | 2023-10-10 | CVE-2023-43611 | The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
5.5 | 2023-10-10 | CVE-2023-43485 | When TACACS+ audit forwarding is configured on BIG-IP or BIG-IQ system, sharedsecret is logged in plaintext in the audit log. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.2 | 2023-10-10 | CVE-2023-42768 | When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
6.5 | 2023-10-10 | CVE-2023-41964 | The BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
9.9 | 2023-10-10 | CVE-2023-41373 | A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.5 | 2023-10-10 | CVE-2023-41085 | When IPSec is configured on a Virtual Server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.5 | 2023-10-10 | CVE-2023-40542 | When TCP Verified Accept is enabled on a TCP profile that is configured on a Virtual Server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
8.1 | 2023-10-10 | CVE-2023-40537 | An authenticated user's session cookie may remain valid for a limited time after logging out from the BIG-IP Configuration utility on a multi-blade VIPRION platform. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.5 | 2023-10-10 | CVE-2023-40534 | When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
4.4 | 2023-10-10 | CVE-2023-39447 | When BIG-IP APM Guided Configurations are configured, undisclosed sensitive information may be logged in restnoded log.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
8.2 | 2023-09-27 | CVE-2023-43125 | BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
7.1 | 2023-09-27 | CVE-2023-43124 | BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated |
5.4 | 2023-08-02 | CVE-2023-38423 | A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
4.3 | 2023-08-02 | CVE-2023-38419 | An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.8 | 2023-08-02 | CVE-2023-38418 | The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
6.1 | 2023-08-02 | CVE-2023-38138 | A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
5.5 | 2023-08-02 | CVE-2023-36858 | An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
6.1 | 2023-08-02 | CVE-2023-3470 | Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. Â The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. Â On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest. The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F. The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
7.5 | 2023-05-03 | CVE-2023-29163 | When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
12% (38) | CWE-20 | Improper Input Validation |
11% (35) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
9% (28) | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
4% (13) | CWE-200 | Information Exposure |
3% (12) | CWE-476 | NULL Pointer Dereference |
3% (10) | CWE-401 | Failure to Release Memory Before Removing Last Reference ('Memory L... |
3% (10) | CWE-319 | Cleartext Transmission of Sensitive Information |
2% (9) | CWE-269 | Improper Privilege Management |
2% (7) | CWE-532 | Information Leak Through Log Files |
2% (7) | CWE-362 | Race Condition |
2% (7) | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
2% (7) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
1% (6) | CWE-295 | Certificate Issues |
1% (6) | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('O... |
1% (5) | CWE-352 | Cross-Site Request Forgery (CSRF) |
1% (5) | CWE-287 | Improper Authentication |
1% (5) | CWE-264 | Permissions, Privileges, and Access Controls |
1% (4) | CWE-770 | Allocation of Resources Without Limits or Throttling |
1% (4) | CWE-732 | Incorrect Permission Assignment for Critical Resource |
1% (4) | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
1% (4) | CWE-404 | Improper Resource Shutdown or Release |
1% (4) | CWE-326 | Inadequate Encryption Strength |
1% (4) | CWE-284 | Access Control (Authorization) Issues |
1% (4) | CWE-203 | Information Exposure Through Discrepancy |
1% (4) | CWE-125 | Out-of-bounds Read |
SAINT Exploits
Description | Link |
---|---|
F5 rsync daemon ConfigSync interface cmi module vulnerability | More info here |
F5 BIG-IP iControl REST vulnerability | More info here |
Bash environment variable code injection over HTTP | More info here |
Bash Environment Variable Handling Shell Command Injection Via CUPS | More info here |
ShellShock DHCP Server | More info here |
ExploitDB Exploits
id | Description |
---|---|
35146 | PHP 5.x Shellshock Exploit (bypass disable_functions) |
35115 | CUPS Filter Bash Environment Variable Code Injection |
34879 | OpenVPN 2.2.29 - ShellShock Exploit |
34860 | GNU bash 4.3.11 Environment Variable dhclient Exploit |
34839 | IPFire Cgi Web Interface Authenticated Bash Environment Variable Code Injecti... |
34777 | GNU bash Environment Variable Command Injection (MSF) |
33516 | Linux kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition... |
OpenVAS Exploits
id | Description |
---|---|
2013-09-18 | Name : Debian Security Advisory DSA 2581-1 (mysql-5.1 - several vulnerabilities) File : nvt/deb_2581_1.nasl |
2012-11-26 | Name : Oracle MySQL Server Multiple Vulnerabilities-01 Nov12 (Windows) File : nvt/gb_oracle_mysql_multiple_vuln01_nov12_win.nasl |
2012-11-15 | Name : CentOS Update for mysql CESA-2012:1462 centos6 File : nvt/gb_CESA-2012_1462_mysql_centos6.nasl |
2012-11-15 | Name : RedHat Update for mysql RHSA-2012:1462-01 File : nvt/gb_RHSA-2012_1462-01_mysql.nasl |
2012-11-06 | Name : Ubuntu Update for mysql-5.5 USN-1621-1 File : nvt/gb_ubuntu_USN_1621_1.nasl |
Information Assurance Vulnerability Management (IAVM)
id | Description |
---|---|
2014-A-0142 | GNU Bash Shell Code Execution Vulnerability Severity: Category I - VMSKEY: V0054753 |
Snort® IPS/IDS
Date | Description |
---|---|
2020-08-11 | F5 BIG-IP Traffic Management User Interface remote code execution attempt RuleID : 54484 - Type : SERVER-WEBAPP - Revision : 2 |
2020-08-06 | F5 BIG-IP Traffic Management User Interface remote code execution attempt RuleID : 54462 - Type : SERVER-WEBAPP - Revision : 3 |
2020-07-07 | lodash defaultsDeep prototype pollution attempt RuleID : 54184 - Type : SERVER-OTHER - Revision : 1 |
2016-03-15 | Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt RuleID : 37654 - Type : OS-LINUX - Revision : 2 |
2016-03-14 | Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt RuleID : 37408 - Type : OS-LINUX - Revision : 2 |
2015-07-13 | Linux.Trojan.ChinaZ outbound connection RuleID : 34847 - Type : MALWARE-CNC - Revision : 3 |
2015-01-13 | TLSv1.2 POODLE CBC padding brute force attempt RuleID : 32760 - Type : SERVER-OTHER - Revision : 4 |
2015-01-13 | TLSv1.1 POODLE CBC padding brute force attempt RuleID : 32759 - Type : SERVER-OTHER - Revision : 4 |
2015-01-13 | TLSv1.0 POODLE CBC padding brute force attempt RuleID : 32758 - Type : SERVER-OTHER - Revision : 4 |
2015-01-13 | TLSv1.2 POODLE CBC padding brute force attempt RuleID : 32757 - Type : SERVER-OTHER - Revision : 4 |
2015-01-13 | TLSv1.1 POODLE CBC padding brute force attempt RuleID : 32756 - Type : SERVER-OTHER - Revision : 4 |
2015-01-13 | TLSv1.0 POODLE CBC padding brute force attempt RuleID : 32755 - Type : SERVER-OTHER - Revision : 4 |
2014-10-30 | Bash environment variable injection attempt RuleID : 32366-community - Type : OS-OTHER - Revision : 2 |
2014-12-02 | Bash environment variable injection attempt RuleID : 32366 - Type : OS-OTHER - Revision : 2 |
2014-10-24 | Bash CGI environment variable injection attempt RuleID : 32336-community - Type : OS-OTHER - Revision : 2 |
2014-11-25 | Bash CGI environment variable injection attempt RuleID : 32336 - Type : OS-OTHER - Revision : 2 |
2014-10-24 | Bash CGI environment variable injection attempt RuleID : 32335-community - Type : OS-OTHER - Revision : 2 |
2014-11-25 | Bash CGI environment variable injection attempt RuleID : 32335 - Type : OS-OTHER - Revision : 2 |
2014-10-03 | Bash environment variable injection attempt RuleID : 32069-community - Type : OS-OTHER - Revision : 3 |
2014-11-16 | Bash environment variable injection attempt RuleID : 32069 - Type : OS-OTHER - Revision : 3 |
2014-10-01 | Bash environment variable injection attempt RuleID : 32043-community - Type : OS-OTHER - Revision : 3 |
2014-11-16 | Bash environment variable injection attempt RuleID : 32043 - Type : OS-OTHER - Revision : 3 |
2014-10-01 | Bash environment variable injection attempt RuleID : 32042-community - Type : OS-OTHER - Revision : 4 |
2014-11-16 | Bash environment variable injection attempt RuleID : 32042 - Type : OS-OTHER - Revision : 4 |
2014-10-01 | Bash environment variable injection attempt RuleID : 32041-community - Type : OS-OTHER - Revision : 4 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2019-01-11 | Name: The remote Virtuozzo host is missing multiple security updates. File: Virtuozzo_VZA-2018-075.nasl - Type: ACT_GATHER_INFO |
2019-01-10 | Name: The remote device is affected by multiple vulnerabilities. File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-50075276e8.nasl - Type: ACT_GATHER_INFO |
2018-12-28 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL27617652.nasl - Type: ACT_GATHER_INFO |
2018-12-21 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL23328310.nasl - Type: ACT_GATHER_INFO |
2018-12-21 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL61620494.nasl - Type: ACT_GATHER_INFO |
2018-12-14 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL95343321.nasl - Type: ACT_GATHER_INFO |
2018-12-13 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL42027747.nasl - Type: ACT_GATHER_INFO |
2018-12-11 | Name: The remote EulerOS host is missing multiple security updates. File: EulerOS_SA-2018-1406.nasl - Type: ACT_GATHER_INFO |
2018-12-05 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-2_0-0101.nasl - Type: ACT_GATHER_INFO |
2018-11-16 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-3083.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL00363258.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL01067037.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL02043709.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL02714910.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL03165684.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL05018525.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL05112543.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL05263202.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL07550539.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL10930474.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL11718033.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL12044607.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL16248201.nasl - Type: ACT_GATHER_INFO |
2018-11-02 | Name: The remote device is missing a vendor-supplied security patch. File: f5_bigip_SOL19361245.nasl - Type: ACT_GATHER_INFO |