CVE-2023-40534 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2023-40534
When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando un perfil HTTP/2 del lado del cliente y la opción HTTP MRF Router están habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Política de Tráfico Local está asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalización de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan. • https://my.f5.com/manage/s/article/K000133467 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. • https://github.com/imabee101/CVE-2023-44487 https://github.com/studiogangster/CVE-2023-44487 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/sigridou/CVE-2023-44487- https://github.com/ByteHackr/CVE-2023-44487 https://github.com/ReToCode/golang-CVE-2023-44487 http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www. • CWE-400: Uncontrolled Resource Consumption •
CVE-2023-38423 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2023-38423
A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en una página no revelada de la utilidad de configuración de BIG-IP que permite a un atacante ejecutar JavaScript en el contexto del usuario actualmente conectado. Nota: No se evalúan las versiones de software que han alcanzado el fin de soporte técnico (EoTS). • https://my.f5.com/manage/s/article/K000134535 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-38419 – BIG-IP and BIG-IQ iControl SOAP vulnerability
https://notcve.org/view.php?id=CVE-2023-38419
An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Un atacante autenticado con privilegios de invitado o superior puede provocar la finalización del proceso iControl SOAP mediante el envío de solicitudes no reveladas. Nota: No se evalúan las versiones de software que han alcanzado el fin del soporte técnico (EoTS). • https://my.f5.com/manage/s/article/K000133472 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2023-38138 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2023-38138
A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de Cross-Site Scripting (XSS) reflejado en una página no revelada de la utilidad de configuración de BIG-IP que permite a un atacante ejecutar JavaScript en el contexto del usuario actualmente conectado. Nota: No se evalúan las versiones de software que han alcanzado el fin del soporte ténico (EoTS). • https://my.f5.com/manage/s/article/K000133474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •