CVSS: 4.3EPSS: 0%CPEs: 84EXPL: 0CVE-2021-23001
https://notcve.org/view.php?id=CVE-2021-23001
On versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the upload functionality in BIG-IP Advanced WAF and BIG-IP ASM allows an authenticated user to upload files to the BIG-IP system using a call to an undisclosed iControl REST endpoint. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En las versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anteriores a 14.1.4, versiones 13.1.x anteriores a 13.1.3.6, versiones 12.1.x anteriores a 12.1.5.3 y versiones 11.6.x anteriores a 11.6.5.3 , la funcionalidad de carga en BIG-IP Advanced WAF y BIG-IP ASM permite a un usuario autenticado cargar archivos al sistema BIG-IP mediante una llamada a un endpoint iControl REST no revelado. Nota: No se evalúan las versiones de software que han alcanzado End of Software Development (EoSD). • https://support.f5.com/csp/article/K06440657 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22998
https://notcve.org/view.php?id=CVE-2021-22998
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, SYN flood protection thresholds are not enforced in secure network address translation (SNAT) listeners. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anteriores a 14.1.4, versiones 13.1.x anteriores a 13.1.3.6, versiones 12.1.x anteriores a 12.1.5.3 y versiones 11.6.x anteriores a 11.6.5.3, los umbrales de protección contra inundaciones SYN no se aplican en escuchas de secure network address translation (SNAT). Nota: No se evalúan las versiones de software que han alcanzado End of Software Development (EoSD). • https://support.f5.com/csp/article/K31934524 •
CVSS: 7.5EPSS: 0%CPEs: 84EXPL: 0CVE-2021-23003
https://notcve.org/view.php?id=CVE-2021-23003
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, the Traffic Management Microkernel (TMM) process may produce a core file when undisclosed MPTCP traffic passes through a standard virtual server. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2, versiones 14.1.x anteriores a 14.1.3.1, versiones 13.1.x anteriores a 13.1.3.6, versiones 12.1.x anteriores a 12.1.5.3 y versiones 11.6.x anteriores a 11.6.5.3, el proceso Traffic Management Microkernel (TMM) puede producir un archivo central cuando el tráfico MPTCP no revelado pasa a través de un servidor virtual estándar. Nota: No se evalúan las versiones de software que han alcanzado End of Software Development (EoSD). • https://support.f5.com/csp/article/K43470422 •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2021-23000
https://notcve.org/view.php?id=CVE-2021-23000
On BIG-IP versions 13.1.3.4-13.1.3.6 and 12.1.5.2, if the tmm.http.rfc.enforcement BigDB key is enabled in a BIG-IP system, or the Bad host header value is checked in the AFM HTTP security profile associated with a virtual server, in rare instances, a specific sequence of malicious requests may cause TMM to restart. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 13.1.3.4-13.1.3.6 y 12.1.5.2, si la clave de BigDB tmm.http.rfc.enforcement está habilitada en un sistema BIG-IP, o si el valor del encabezado de host Bad está validado en la seguridad HTTP de AFM asociado con un servidor virtual, en raras ocasiones, una secuencia específica de peticiones maliciosas puede hacer que TMM se reinicie. Nota: No se evalúan las versiones de software que han alcanzado End of Software Development (EoSD). • https://support.f5.com/csp/article/K34441555 •
CVSS: 6.1EPSS: 0%CPEs: 84EXPL: 0CVE-2021-22994
https://notcve.org/view.php?id=CVE-2021-22994
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x before 12.1.5.3, and 11.6.x before 11.6.5.3, undisclosed endpoints in iControl REST allow for a reflected XSS attack, which could lead to a complete compromise of the BIG-IP system if the victim user is granted the admin role. This vulnerability is due to an incomplete fix for CVE-2020-5948. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anteriores a 14.1.4, versiones 13.1.x anteriores a 13.1.3.6, versiones 12.1.x anteriores a 12.1.5.3 y versiones 11.6.x anteriores a 11.6.5.3, los endpoints no revelados en iControl REST permiten un ataque XSS reflejado, lo que podría conllevar a un compromiso completo del sistema BIG-IP si se le otorga el rol de administrador al usuario víctima. Esta vulnerabilidades es debido a una solución incompleta para CVE-2020-5948. • https://support.f5.com/csp/article/K66851119 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •