Page 29 of 214 results (0.014 seconds)

CVSS: 4.3EPSS: 0%CPEs: 66EXPL: 0

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack. En BIG-IP, 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, o 11.5.1-11.5.8 o Enterprise Manager 3.1.1, las peticiones mal formadas al TMUI (Traffic Management User Interface), también llamado utilidad BIG-IP Configuration, podría conducir a la interrupción de los servicios TMUI. Este ataque requiere un usuario autenticado con cualquier rol (aparte del rol "No Access"). • https://support.f5.com/csp/article/K44603900 •

CVSS: 7.2EPSS: 0%CPEs: 53EXPL: 0

In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced. En BIG-IP, 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, o 11.5.1-11.5.8 o Enterprise Manager 3.1.1, cuando los usuarios administrativos autenticados ejecutan comandos en el TMUI (Traffic Management User Interface), también llamado utilidad BIG-IP Configuration, podrían no aplicarse las restricciones sobre los comandos permitidos. • https://support.f5.com/csp/article/K29280193 •

CVSS: 5.9EPSS: 0%CPEs: 39EXPL: 0

On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE.) En BIG-IP 11.5.1-11.5.4, 11.6.1 y 12.1.0, un servidor virtual que está configurado con un perfil SSL del cliente podría ser vulnerable a un ataque de texto cifrado escogido contra cifrados CBC. Su explotación puede conducir a la recuperación en texto plano de mensajes cifrados mediante un ataque Man-in-the-Middle (MitM), a pesar de que el atacante no haya obtenido acceso a la clave privada del servidor. • https://support.f5.com/csp/article/K10065173 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 5.9EPSS: 0%CPEs: 91EXPL: 0

On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances. BIG-IP, en sus versiones 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1 y 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP), no protege contra manera correcta contra múltiples DATA_FIN de longitud cero en la cola de reensamblado, lo que podría conducir a un bucle infinito en algunas circunstancias. • https://support.f5.com/csp/article/K91026261 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 5.9EPSS: 1%CPEs: 180EXPL: 0

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html http://www.securityfocus.com/bid/107174 https://access. • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •