CVSS: 10.0EPSS: 97%CPEs: 73EXPL: 20CVE-2021-22986 – F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-22986
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anteriores a 14... • https://packetstorm.news/files/id/162059 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22988
https://notcve.org/view.php?id=CVE-2021-22988
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, TMUI, also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anterior... • https://support.f5.com/csp/article/K70031188 •
CVSS: 9.8EPSS: 39%CPEs: 84EXPL: 1CVE-2021-22992 – F5 Big IP ASM is_hdr_criteria_matches Buffer Overflow
https://notcve.org/view.php?id=CVE-2021-22992
11 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, a malicious HTTP response to an Advanced WAF/BIG-IP ASM virtual server with Login Page configured in its policy may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may allow remote code execution (RCE), leading to complete system compromise. Note: Software versions which have reached End of Software Development (E... • https://packetstorm.news/files/id/161753 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 71%CPEs: 70EXPL: 1CVE-2021-22991 – F5 BIG-IP Traffic Management Microkernel Buffer Overflow
https://notcve.org/view.php?id=CVE-2021-22991
11 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, which may trigger a buffer overflow, resulting in a DoS attack. In certain situations, it may theoretically allow bypass of URL based access control or remote code execution (RCE). Note: Software versions which have reached End of Software ... • https://packetstorm.news/files/id/161752 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2021-22977
https://notcve.org/view.php?id=CVE-2021-22977
12 Feb 2021 — On BIG-IP version 16.0.0-16.0.1 and 14.1.2.4-14.1.3, cooperation between malicious HTTP client code and a malicious server may cause TMM to restart and generate a core file. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.0-16.0.1 y 14.1.2.4-14.1.3, una cooperación entre el código de cliente HTTP malicioso y un servidor malicioso puede hacer a TMM reinicie y genere un archivo core. Nota: No son evaluadas las versiones de software... • https://support.f5.com/csp/article/K14693346 •
CVSS: 8.3EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22978
https://notcve.org/view.php?id=CVE-2021-22978
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x and 11.6.x versions, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of BIG-IP if the victim user is granted the admin role. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1, versiones 15.1.x anteriores a 15.1.1, versiones 14... • https://support.f5.com/csp/article/K87502622 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 70EXPL: 0CVE-2021-22979
https://notcve.org/view.php?id=CVE-2021-22979
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned and allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.... • https://support.f5.com/csp/article/K63497634 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 58EXPL: 0CVE-2021-22974
https://notcve.org/view.php?id=CVE-2021-22974
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP ve... • https://support.f5.com/csp/article/K68652018 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 50EXPL: 0CVE-2021-22973
https://notcve.org/view.php?id=CVE-2021-22973
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all 12.1.x versions, JSON parser function does not protect against out-of-bounds memory accesses or writes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2, versiones 14.1.x anteriores a 14.1.3.1, versiones 13.1.x anteriores a 13.1.3.5 y todas las versiones de... • https://support.f5.com/csp/article/K13323323 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 42EXPL: 0CVE-2021-22975
https://notcve.org/view.php?id=CVE-2021-22975
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, and 14.1.x before 14.1.3.1, under some circumstances, Traffic Management Microkernel (TMM) may restart on the BIG-IP system while passing large bursts of traffic. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1 y versiones 14.1.x anteriores a 14.1.3.1, en algunas circunstancias, Traffic Management Microkern... • https://support.f5.com/csp/article/K21971977 •