CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-27634
https://notcve.org/view.php?id=CVE-2022-27634
05 May 2022 — On 16.1.x versions prior to 16.1.2.2 and 15.1.x versions prior to 15.1.5.1, BIG-IP APM does not properly validate configurations, allowing an authenticated attacker with high privileges to manipulate the APM policy leading to privilege escalation/remote code execution. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En versiones 16.1.x anteriores a 16.1.2.2 y en versiones 15.1.x anteriores a 15.1.5.1, BIG-IP APM no comprueba apropiadamente las configuraciones, lo... • https://support.f5.com/csp/article/K57555833 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-27495
https://notcve.org/view.php?id=CVE-2022-27495
05 May 2022 — On all versions 1.3.x (fixed in 1.4.0) NGINX Service Mesh control plane endpoints are exposed to the cluster overlay network. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En todas las versiones 1.3.x (corregida en la 1.4.0) los endpoints del plano de control de NGINX Service Mesh están expuestos a la red superpuesta del clúster. Nota: las versiones de software que han alcanzado el Fin del Soporte Técnico (EoTS) no son evaluadas • https://support.f5.com/csp/article/K94093538 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 0CVE-2022-27230
https://notcve.org/view.php?id=CVE-2022-27230
05 May 2022 — On all versions of 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x of F5 BIG-IP APM, and F5 BIG-IP Guided Configuration (GC) all versions prior to 9.0, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of F5 BIG-IP Guided Configuration that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En todas las versiones de 16.1.x, 15.1.x, 14.1.x, 13.... • https://support.f5.com/csp/article/K21317311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 341EXPL: 0CVE-2022-27189
https://notcve.org/view.php?id=CVE-2022-27189
05 May 2022 — On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when an Internet Content Adaptation Protocol (ICAP) profile is configured on a virtual server, undisclosed traffic can cause an increase in Traffic Management Microkernel (TMM) memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En F5 BIG-IP versiones ... • https://support.f5.com/csp/article/K16187341 • CWE-681: Incorrect Conversion between Numeric Types •
CVSS: 5.3EPSS: 0%CPEs: 143EXPL: 0CVE-2022-27182
https://notcve.org/view.php?id=CVE-2022-27182
05 May 2022 — On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, and 14.1.x versions prior to 14.1.4.6, when BIG-IP packet filters are enabled and a virtual server is configured with the type set to Reject, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En F5 BIG-IP versiones 16.1.x anteriores a 16.1.2.2, las versiones 15.1.x anteriores a 15.1.5.1 y las versiones 14.1.x ... • https://support.f5.com/csp/article/K31856317 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 18EXPL: 0CVE-2022-27181
https://notcve.org/view.php?id=CVE-2022-27181
05 May 2022 — On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, when APM is configured on a virtual server and the associated access profile is configured with APM AAA NTLM Auth, undisclosed requests can cause an increase in internal resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated En F5 BIG-IP APM versiones 16.1.x... • https://support.f5.com/csp/article/K93543114 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 54EXPL: 0CVE-2022-26890
https://notcve.org/view.php?id=CVE-2022-26890
05 May 2022 — On F5 BIG-IP Advanced WAF, ASM, and APM 16.1.x versions prior to 16.1.2.1, 15.1.x versions prior to 15.1.5, 14.1.x versions prior to 14.1.4.6, and 13.1.x versions prior to 13.1.5, when ASM or Advanced WAF, as well as APM, are configured on a virtual server, the ASM policy is configured with Session Awareness, and the "Use APM Username and Session ID" option is enabled, undisclosed requests can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are n... • https://support.f5.com/csp/article/K03442392 • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 4.9EPSS: 0%CPEs: 341EXPL: 0CVE-2022-26835
https://notcve.org/view.php?id=CVE-2022-26835
05 May 2022 — On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, directory traversal vulnerabilities exist in undisclosed iControl REST endpoints and TMOS Shell (tmsh) commands in F5 BIG-IP Guided Configuration, which may allow an authenticated attacker with at least resource administrator role privileges to read arbitrary files. Note: Software versions which have reached End of Techn... • https://support.f5.com/csp/article/K53197140 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23055
https://notcve.org/view.php?id=CVE-2021-23055
21 Apr 2022 — On version 2.x before 2.0.3 and 1.x before 1.12.3, the command line restriction that controls snippet use with NGINX Ingress Controller does not apply to Ingress objects. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En versiones 2.x anteriores a 2.0.3 y en la versiones 1.x anteriores a 1.12.3, la restricción de la línea de comandos que controla el uso de fragmentos con NGINX Ingress Controller no es aplicada a los objetos Ingress. Nota: No son evaluadas las v... • https://support.f5.com/csp/article/K01051452 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28049
https://notcve.org/view.php?id=CVE-2022-28049
15 Apr 2022 — NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c. Se ha detectado que NGINX NJS versión 0.7.2, contiene una desreferencia de puntero NULL por medio del componente njs_vmcode_array en /src/njs_vmcode.c • https://github.com/nginx/njs/commit/f65981b0b8fcf02d69a40bc934803c25c9f607ab • CWE-476: NULL Pointer Dereference •