CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23006
https://notcve.org/view.php?id=CVE-2021-23006
31 Mar 2021 — On all 7.x and 6.x versions (fixed in 8.0.0), undisclosed BIG-IQ pages have a reflected cross-site scripting vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones 7.x y 6.x (corregidas en la versión 8.0.0), las páginas de BIG-IQ no reveladas presentan una vulnerabilidad de tipo cross-site scripting reflejado. Nota: No se evalúan las versiones de software que han alcanzado End of Software Development (EoSD). • https://support.f5.com/csp/article/K30585021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23005
https://notcve.org/view.php?id=CVE-2021-23005
31 Mar 2021 — On all 7.x and 6.x versions (fixed in 8.0.0), when using a Quorum device for BIG-IQ high availability (HA) for automatic failover, BIG-IQ does not make use of Transport Layer Security (TLS) with the Corosync protocol. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones 7.x y 6.x (corregidas en la versión 8.0.0), cuando se utiliza un dispositivo Quorum para alta disponibilidad (HA) de BIG-IQ para la conmutación automática por error, BIG-IQ n... • https://support.f5.com/csp/article/K01243064 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22997
https://notcve.org/view.php?id=CVE-2021-22997
31 Mar 2021 — On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones 7.x y 6.x (corregidas en 8.0.0), el servicio BIG-IQ HA ElasticSearch no implementa ninguna forma de autenticación para los servicios de transporte de clustering, y ... • https://support.f5.com/csp/article/K34074377 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22996
https://notcve.org/view.php?id=CVE-2021-22996
31 Mar 2021 — On all 7.x versions (fixed in 8.0.0), when set up for auto failover, a BIG-IQ Data Collection Device (DCD) cluster member that receives an undisclosed message may cause the corosync process to abort. This behavior may lead to a denial-of-service (DoS) and impact the stability of a BIG-IQ high availability (HA) cluster. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones 7.x (corregidas en 8.0.0), cuando se configura para la conmutación auto... • https://support.f5.com/csp/article/K16352404 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22995
https://notcve.org/view.php?id=CVE-2021-22995
31 Mar 2021 — On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ high availability (HA) when using a Quorum device for automatic failover does not implement any form of authentication with the Corosync daemon. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En todas las versiones 7.x y 6.x (corregidas en versión 8.0.0), la alta disponibilidad (HA) de BIG-IQ cuando se usa un dispositivo Quorum para la conmutación automática por error no implementa ninguna forma de autenti... • https://support.f5.com/csp/article/K13155201 • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 94%CPEs: 73EXPL: 20CVE-2021-22986 – F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-22986
31 Mar 2021 — On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP versiones 16.0.x anteriores a 16.0.1.1, versiones 15.1.x anteriores a 15.1.2.1, versiones 14.1.x anteriores a 14... • https://packetstorm.news/files/id/162059 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 58EXPL: 0CVE-2021-22974
https://notcve.org/view.php?id=CVE-2021-22974
12 Feb 2021 — On BIG-IP version 16.0.x before 16.0.1.1, 15.1.x before 15.1.2, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6 and all versions of BIG-IQ 7.x and 6.x, an authenticated attacker with access to iControl REST over the control plane may be able to take advantage of a race condition to execute commands with an elevated privilege level. This vulnerability is due to an incomplete fix for CVE-2017-6167. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated. En BIG-IP ve... • https://support.f5.com/csp/article/K68652018 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5944
https://notcve.org/view.php?id=CVE-2020-5944
05 Nov 2020 — In BIG-IQ 7.1.0, accessing the DoS Summary events and DNS Overview pages in the BIG-IQ system interface returns an error message due to disabled Grafana reverse proxy in web service configuration. F5 has done further review of this vulnerability and has re-classified it as a defect. CVE-2020-5944 will continue to be referenced in F5 Security Advisory K57274211 and will not be assigned to other F5 vulnerabilities. En BIG-IQ versión 7.1.0, el acceso a los eventos de DoS Summary y las páginas de DNS Overview e... • https://support.f5.com/csp/article/K57274211 •
CVSS: 7.5EPSS: 0%CPEs: 68EXPL: 0CVE-2020-5930
https://notcve.org/view.php?id=CVE-2020-5930
25 Sep 2020 — In BIG-IP 15.0.0-15.1.0.4, 14.1.0-14.1.2.7, 13.1.0-13.1.3.3, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2 and BIG-IQ 5.2.0-7.1.0, unauthenticated attackers can cause disruption of service via undisclosed methods. En BIG-IP versiones 15.0.0-15.1.0.4, 14.1.0-14.1.2.7, 13.1.0-13.1.3.3, 12.1.0-12.1.5.2 y 11.6.1-11.6.5.2 y BIG-IQ 5.2. 0-7.1.0, los atacantes no autenticados pueden causar la interrupción del servicio por medio de métodos no revelados • https://support.f5.com/csp/article/K20622530 •
CVSS: 7.2EPSS: 0%CPEs: 58EXPL: 0CVE-2020-5873
https://notcve.org/view.php?id=CVE-2020-5873
30 Apr 2020 — On BIG-IP 15.0.0-15.0.1, 14.1.0-14.1.2.3, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.6.1-11.6.5 and BIG-IQ 5.2.0-7.1.0, a user associated with the Resource Administrator role who has access to the secure copy (scp) utility but does not have access to Advanced Shell (bash) can execute arbitrary commands using a maliciously crafted scp request. En BIG-IP versiones 15.0.0 hasta 15.0.1, 14.1.0 hasta 14.1.2.3, 13.1.0 hasta 13.1.3.1, 12.1.0 hasta 12.1.5 y 11.6.1 hasta 11.6.5 y BIG-IQ versiones 5.2.0 hasta 7.1.0, un u... • https://support.f5.com/csp/article/K03585731 •