CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-5870
https://notcve.org/view.php?id=CVE-2020-5870
24 Apr 2020 — In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization mechanisms do not use any form of authentication for connecting to the peer. En BIG -IQ versiones 5.2.0-7.0.0, los mecanismos de sincronización de alta disponibilidad (HA) no usan ninguna forma de autenticación para conectarse con el peer. • https://support.f5.com/csp/article/K69422435 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2020-5869
https://notcve.org/view.php?id=CVE-2020-5869
24 Apr 2020 — In BIG-IQ 5.2.0-7.0.0, high availability (HA) synchronization is not secure by TLS and may allow on-path attackers to read / modify confidential data in transit. En BIG -IQ versiones 5.2.0-7.0.0, la sincronización de alta disponibilidad (HA) no es segura por TLS y puede permitir a atacantes sobre la ruta leer y modificar datos confidenciales en tránsito. • https://support.f5.com/csp/article/K28855111 • CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel •
CVSS: 5.9EPSS: 4%CPEs: 180EXPL: 0CVE-2019-1559 – 0-byte record padding oracle
https://notcve.org/view.php?id=CVE-2019-1559
26 Feb 2019 — If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order ... • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html • CWE-203: Observable Discrepancy CWE-325: Missing Cryptographic Step •