CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2017-6144
https://notcve.org/view.php?id=CVE-2017-6144
20 Oct 2017 — In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Allocation Code (TAC) database file via HTTPS, the server's certificate is not verified. Attackers in a privileged network position may be able to launch a man-in-the-middle attack against these connections. TAC databases are used in BIG-IP PEM for Device Type and OS (DTOS) and Tethering detection. Customers not using BIG-IP PEM, not configuring downloads of TAC database files, or not using HTTP for that download are not affected. En F5 BIG-IP... • https://support.f5.com/csp/article/K81601350 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 0%CPEs: 111EXPL: 0CVE-2017-6165
https://notcve.org/view.php?id=CVE-2017-6165
20 Oct 2017 — In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, and WebSafe 11.5.1 HF6 through 11.5.4 HF4, 11.6.0 through 11.6.1 HF1, and 12.0.0 through 12.1.2 on VIPRION platforms only, the script which synchronizes SafeNet External Network HSM configuration elements between blades in a clustered deployment will log the HSM partition password in cleartext to the "/var/log/ltm" log file. En F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM y WebSafe 11.5.1 HF6 has... • http://www.securityfocus.com/bid/101543 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2017-6145
https://notcve.org/view.php?id=CVE-2017-6145
20 Oct 2017 — iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.0.0 through 12.1.2 and 13.0.0 includes a service to convert authorization BIGIPAuthCookie cookies to X-F5-Auth-Token tokens. This service does not properly re-validate cookies when making that conversion, allowing once-valid but now expired cookies to be converted to valid tokens. iControl REST en F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM y WebSafe 12.0.0 hasta la versión 12... • https://support.f5.com/csp/article/K22317030 • CWE-613: Insufficient Session Expiration •
CVSS: 5.9EPSS: 0%CPEs: 20EXPL: 0CVE-2017-6147
https://notcve.org/view.php?id=CVE-2017-6147
18 Sep 2017 — In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe 12.1.2-HF1 and 13.0.0, an undisclosed type of responses may cause TMM to restart, causing an interruption of service when "SSL Forward Proxy" setting is enabled in both the Client and Server SSL profiles assigned to a BIG-IP Virtual Server. En F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM y WebSafe 12.1.2-HF1 y 13.0.0, una serie de peticiones no reveladas puede provocar el reinicio del TMM y la ... • http://www.securityfocus.com/bid/100981 •
CVSS: 5.4EPSS: 0%CPEs: 136EXPL: 0CVE-2016-7469
https://notcve.org/view.php?id=CVE-2016-7469
09 Jun 2017 — A stored cross-site scripting (XSS) vulnerability in the Configuration utility device name change page in BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM and WebSafe version 12.0.0 - 12.1.2, 11.4.0 - 11.6.1, and 11.2.1 allows an authenticated user to inject arbitrary web script or HTML. Exploitation requires Resource Administrator or Administrator privileges, and it could cause the Configuration utility client to become unstable. Una vulnerab... • http://www.securityfocus.com/bid/95320 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2017-6131
https://notcve.org/view.php?id=CVE-2017-6131
23 May 2017 — In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0.0 Azure cloud instance may contain a default administrative password which could be used to remotely log into the BIG-IP system. The impacted administrative account is the Azure instance administrative user that was created at deployment. The root and admin accounts are not vulnerable. An attacker may be able to remotely access the BIG-IP host via SSH. En algunas circunstancias, una instancia de nube de Azure de F5 BIG-IP versiones 12.0.0... • http://www.securitytracker.com/id/1038569 • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.5EPSS: 0%CPEs: 134EXPL: 0CVE-2016-9250
https://notcve.org/view.php?id=CVE-2016-9250
10 May 2017 — In F5 BIG-IP 11.2.1, 11.4.0 through 11.6.1, and 12.0.0 through 12.1.2, an unauthenticated user with access to the control plane may be able to delete arbitrary files through an undisclosed mechanism. En F5 BIG-IP 11.2.1, 11.4.0 a 11.6.1 y 12.0.0 a 12.1.2, un usuario no autenticado con acceso al panel de control puede ser capaz de borrar archivos arbitrarios a través de un mecanismo no revelado. • https://support.f5.com/csp/article/K55792317 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2016-9256
https://notcve.org/view.php?id=CVE-2016-9256
09 May 2017 — In F5 BIG-IP 12.1.0 through 12.1.2, permissions enforced by iControl can lag behind the actual permissions assigned to a user if the role_map is not reloaded between the time the permissions are changed and the time of the user's next request. This is a race condition that occurs rarely in normal usage; the typical period in which this is possible is limited to at most a few seconds after the permission change. En F5 BIG-IP desde la versión 12.1.0 hasta la 12.1.2, los permisos forzados por iControl pueden q... • http://www.securityfocus.com/bid/96464 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.9EPSS: 0%CPEs: 50EXPL: 0CVE-2017-6137
https://notcve.org/view.php?id=CVE-2017-6137
09 May 2017 — In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, and WebSafe 11.6.1 HF1, 12.0.0 HF3, 12.0.0 HF4, and 12.1.0 through 12.1.2, undisclosed traffic patterns received while software SYN cookie protection is engaged may cause a disruption of service to the Traffic Management Microkernel (TMM) on specific platforms and configurations. En LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator y WebSafe ... • http://www.securitytracker.com/id/1038409 •
CVSS: 7.5EPSS: 0%CPEs: 30EXPL: 0CVE-2016-9253
https://notcve.org/view.php?id=CVE-2016-9253
09 May 2017 — In F5 BIG-IP 12.1.0 through 12.1.2, specific websocket traffic patterns may cause a disruption of service for virtual servers configured to use the websocket profile. En F5 BIG-IP desde la versión 12.1.0 hasta la 12.1.2, patrones de tráfico websocket específicos, pueden causar una interrupción del servicio en servidores virtuales configurados para usar el perfil websocket. • http://www.securitytracker.com/id/1038415 • CWE-20: Improper Input Validation •