CVSS: 6.1EPSS: 0%CPEs: 65EXPL: 0CVE-2019-6625
https://notcve.org/view.php?id=CVE-2019-6625
03 Jul 2019 — On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility. En BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, y 11.5.1-11.6.4, un Cross-Site reflejado Existe una vulnerabilidad de scripting (XSS) en una página no revelada de la Interfaz de usuario de gestión de trá... • https://support.f5.com/csp/article/K79902360 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 52EXPL: 0CVE-2019-6622
https://notcve.org/view.php?id=CVE-2019-6622
02 Jul 2019 — On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems. En BIG-IP versiones 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, y 11.5.1-11.6.4, un iControl REST worker no revelado es vulnerable a la inyección de comandos por parte de un usuario administrador o un usuario ad... • https://support.f5.com/csp/article/K44885536 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 80EXPL: 0CVE-2019-6621
https://notcve.org/view.php?id=CVE-2019-6621
02 Jul 2019 — On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, and 11.5.2-11.5.8 and BIG-IQ 7.0.0-7.1.0.2, 6.0.0-6.1.0, and 5.1.0-5.4.0, an undisclosed iControl REST worker is vulnerable to command injection by an admin/resource admin user. This issue impacts both iControl REST and tmsh implementations. En BIG-IP versiones 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, 11.6.1-11.6.3.4, y 11.5.2-11.5.8 y BIG-IQ versiones 7.0.0-7.1.0.2, 6.0.0-6.1.0, y 5.1.0... • https://support.f5.com/csp/article/K20541896 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 54EXPL: 0CVE-2019-6620
https://notcve.org/view.php?id=CVE-2019-6620
02 Jul 2019 — On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4 and BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, an undisclosed iControl REST worker vulnerable to command injection for an Administrator user. En BIG-IP versiones 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, y 11.5.1-11.6.4 y BIG-IQ versiones 6.0. 0-6.1.0 y 5.1.0-5.4.0, un iControl REST worker no revelado es vulnerable a la inyección de comandos para un usuario Administrador. • https://support.f5.com/csp/article/K20445457 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 69EXPL: 0CVE-2019-6642
https://notcve.org/view.php?id=CVE-2019-6642
01 Jul 2019 — In BIG-IP 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.2, and 11.5.2-11.6.4, BIG-IQ 6.0.0-6.1.0 and 5.1.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1, authenticated users with the ability to upload files (via scp, for example) can escalate their privileges to allow root shell access from within the TMOS Shell (tmsh) interface. The tmsh interface allows users to execute a secondary program via tools like sftp or scp. En BIG-IP versiones 15.0.0, 14.0.0-14.1.0.5, 13.0.0-13.1.1.5, 12.1.0-12.... • https://support.f5.com/csp/article/K40378764 •
CVSS: 5.9EPSS: 0%CPEs: 109EXPL: 0CVE-2019-6471 – A race condition when discarding malformed packets can cause BIND to exit with an assertion failure
https://notcve.org/view.php?id=CVE-2019-6471
20 Jun 2019 — A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 -> 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview Edition versions 9.11.3-S1 -> 9.11.7-S1. Una condición de carrera que puede presentarse al descartar paquetes malformados puede provocar la salida de B... • https://kb.isc.org/docs/cve-2019-6471 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-617: Reachable Assertion •
CVSS: 7.5EPSS: 95%CPEs: 90EXPL: 0CVE-2019-11478 – SACK can cause extensive memory use via fragmented resend queue
https://notcve.org/view.php?id=CVE-2019-11478
17 Jun 2019 — Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e. Jonathan Looney descubrió que la implementación de la cola de retransmisión de TCP en tcp_fr... • http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 96%CPEs: 96EXPL: 0CVE-2019-11479 – kernel: tcp: excessive resource consumption for TCP connections with low MSS allows remote denial of service
https://notcve.org/view.php?id=CVE-2019-11479
17 Jun 2019 — Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363. Jonathan Looney descubrió que el tamaño máximo d... • http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt • CWE-400: Uncontrolled Resource Consumption CWE-405: Asymmetric Resource Consumption (Amplification) CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 96%CPEs: 91EXPL: 1CVE-2019-11477 – Integer overflow in TCP_SKB_CB(skb)->tcp_gso_segs
https://notcve.org/view.php?id=CVE-2019-11477
17 Jun 2019 — Jonathan Looney discovered that the TCP_SKB_CB(skb)->tcp_gso_segs value was subject to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff. Jonathan Looney detectó que el valor TCP_SKB_CB(skb)-mayor que tcp_gso_segs estuvo sujeto a un desbordamiento de ... • https://github.com/sasqwatch/cve-2019-11477-poc • CWE-190: Integer Overflow or Wraparound CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.9EPSS: 0%CPEs: 65EXPL: 0CVE-2019-6618
https://notcve.org/view.php?id=CVE-2019-6618
03 May 2019 — On BIG-IP 14.0.0-14.1.0.1, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.2-11.5.8, users with the Resource Administrator role can modify sensitive portions of the filesystem if provided Advanced Shell Access, such as editing /etc/passwd. This allows modifications to user objects and is contrary to our definition for the Resource Administrator (RA) role restrictions. En BIG-IP versiones desde la 14.0.0.0 hasta la 14.1.0.1, desde la 13.0.0 hasta la 13.1.1.1.4, desde la 12.1.0 hasta la 12.1.4, desd... • https://support.f5.com/csp/article/K07702240 •