This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor f5 First view 2018-07-06
Product Big-Ip Access Policy Manager Last view 2023-09-27
Version 14.1.2.1.0.111.4-eng_hotfix Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:f5:big-ip_access_policy_manager

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
7.1 2023-09-27 CVE-2023-43124

BIG-IP APM clients may send IP traffic outside of the VPN tunnel.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

5.4 2023-08-02 CVE-2023-38423

A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

4.3 2023-08-02 CVE-2023-38419

An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.8 2023-08-02 CVE-2023-38418

The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.1 2023-08-02 CVE-2023-38138

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

5.5 2023-08-02 CVE-2023-36858

An insufficient verification of data vulnerability exists in BIG-IP Edge Client for Windows and macOS that may allow an attacker to modify its configured server list.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.1 2023-08-02 CVE-2023-3470

Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generate a deterministic password for the Crypto User account. Â The predictable nature of the password allows an authenticated user with TMSH access to the BIG-IP system, or anyone with physical access to the FIPS HSM, the information required to generate the correct password. Â On vCMP systems, all Guests share the same deterministic password, allowing those with TMSH access on one Guest to access keys of a different Guest.

The following BIG-IP hardware platforms are affected: 10350v-F, i5820-DF, i7820-DF, i15820-DF, 5250v-F, 7200v-F, 10200v-F, 6900-F, 8900-F, 11000-F, and 11050-F.

The BIG-IP rSeries r5920-DF and r10920-DF are not affected, nor does the issue affect software FIPS implementations or network HSM configurations.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-05-03 CVE-2023-29163

When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.5 2023-05-03 CVE-2023-28406

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained.Â

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.1 2023-05-03 CVE-2023-27378

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

5.9 2023-05-03 CVE-2023-24461

An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

5.9 2023-05-03 CVE-2023-22372

In the pre connection stage, an improper enforcement of message integrity vulnerability exists in BIG-IP Edge Client for Windows and Mac OS. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-23555

On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22842

On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22664

On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22422

On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, when a HTTP profile with the non-default Enforcement options of Enforce HTTP Compliance and Unknown Methods: Reject are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.1 2023-02-01 CVE-2023-22418

On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious attacker to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

8.5 2023-02-01 CVE-2023-22374

In BIG-IP starting in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5 on their respective branches, a format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.8 2023-02-01 CVE-2023-22358

In versions beginning with 7.2.2 to before 7.2.3.1, a DLL hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22341

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to '/' * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22340

On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

4.9 2023-02-01 CVE-2023-22326

In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

7.5 2023-02-01 CVE-2023-22323

In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

5.9 2023-02-01 CVE-2023-22302

In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

6.5 2023-02-01 CVE-2023-22283

On versions beginning in 7.1.5 to before 7.2.3.1, a DLL hijacking vulnerability exists in the BIG-IP Edge Client for Windows. User interaction and administrative privileges are required to exploit this vulnerability because the victim user needs to run the executable on the system and the attacker requires administrative privileges for modifying the files in the trusted search path. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CWE : Common Weakness Enumeration

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
%idName
13% (21) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
10% (16) CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
6% (10) CWE-476 NULL Pointer Dereference
5% (8) CWE-20 Improper Input Validation
4% (7) CWE-319 Cleartext Transmission of Sensitive Information
4% (7) CWE-269 Improper Privilege Management
3% (5) CWE-401 Failure to Release Memory Before Removing Last Reference ('Memory L...
2% (4) CWE-404 Improper Resource Shutdown or Release
2% (4) CWE-352 Cross-Site Request Forgery (CSRF)
2% (4) CWE-125 Out-of-bounds Read
2% (4) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...
1% (3) CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
1% (3) CWE-532 Information Leak Through Log Files
1% (3) CWE-362 Race Condition
1% (3) CWE-326 Inadequate Encryption Strength
1% (3) CWE-295 Certificate Issues
1% (3) CWE-287 Improper Authentication
1% (2) CWE-787 Out-of-bounds Write
1% (2) CWE-770 Allocation of Resources Without Limits or Throttling
1% (2) CWE-682 Incorrect Calculation
1% (2) CWE-668 Exposure of Resource to Wrong Sphere
1% (2) CWE-434 Unrestricted Upload of File with Dangerous Type
1% (2) CWE-427 Uncontrolled Search Path Element
1% (2) CWE-416 Use After Free
1% (2) CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflo...

SAINT Exploits

Description Link
F5 BIG-IP iControl REST vulnerability More info here

Snort® IPS/IDS

Date Description
2020-08-11 F5 BIG-IP Traffic Management User Interface remote code execution attempt
RuleID : 54484 - Type : SERVER-WEBAPP - Revision : 2
2020-08-06 F5 BIG-IP Traffic Management User Interface remote code execution attempt
RuleID : 54462 - Type : SERVER-WEBAPP - Revision : 3
2020-07-07 lodash defaultsDeep prototype pollution attempt
RuleID : 54184 - Type : SERVER-OTHER - Revision : 1

Nessus® Vulnerability Scanner

id Description
2019-01-11 Name: The remote Virtuozzo host is missing multiple security updates.
File: Virtuozzo_VZA-2018-075.nasl - Type: ACT_GATHER_INFO
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-50075276e8.nasl - Type: ACT_GATHER_INFO
2018-12-11 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1406.nasl - Type: ACT_GATHER_INFO
2018-11-16 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-3083.nasl - Type: ACT_GATHER_INFO
2018-10-26 Name: The remote EulerOS Virtualization host is missing a security update.
File: EulerOS_SA-2018-1352.nasl - Type: ACT_GATHER_INFO
2018-10-10 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-2846.nasl - Type: ACT_GATHER_INFO
2018-09-04 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1278.nasl - Type: ACT_GATHER_INFO
2018-09-04 Name: The remote EulerOS host is missing multiple security updates.
File: EulerOS_SA-2018-1279.nasl - Type: ACT_GATHER_INFO
2018-08-16 Name: The remote Debian host is missing a security update.
File: debian_DLA-1466.nasl - Type: ACT_GATHER_INFO
2018-08-15 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1058.nasl - Type: ACT_GATHER_INFO
2018-08-15 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1058.nasl - Type: ACT_GATHER_INFO
2018-08-15 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4272.nasl - Type: ACT_GATHER_INFO
2018-08-07 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-4266.nasl - Type: ACT_GATHER_INFO
2018-08-03 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZA-2018-049.nasl - Type: ACT_GATHER_INFO
2018-07-24 Name: The remote Fedora host is missing a security update.
File: fedora_2018-8484550fff.nasl - Type: ACT_GATHER_INFO