CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2024-32760 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-32760
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las instrucciones del codificador HTTP/3 no divulgadas pueden hacer que los procesos de trabajo de NGINX finalicen o causen otro impacto potencial. • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-787: Out-of-bounds Write •
CVSS: 4.8EPSS: 1%CPEs: 1EXPL: 0CVE-2024-31079 – NGINX HTTP/3 QUIC vulnerability
https://notcve.org/view.php?id=CVE-2024-31079
29 May 2024 — When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over. Cuando NGINX Plus o NGINX OSS están configurados para usar el módulo HTTP/3 QUIC, las solicitudes HTTP/3 no divulgadas pueden hacer que los procesos de trabajo de NGIN... • http://www.openwall.com/lists/oss-security/2024/05/30/4 • CWE-121: Stack-based Buffer Overflow •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32761 – BIG-IP TMM tenants on VELOS and rSeries vulnerability
https://notcve.org/view.php?id=CVE-2024-32761
08 May 2024 — Under certain conditions, a potential data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. However, this issue cannot be exploited by an attacker because it is not consistently reproducible and is beyond an attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Bajo ciertas condiciones, puede ocurrir una posible fuga de datos en los micronúcleos de administración de tráfico (TMM) ... • https://my.f5.com/manage/s/article/K000139217 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 89%CPEs: 1EXPL: 2CVE-2024-26026 – BIG-IP Central Manager SQL Injection
https://notcve.org/view.php?id=CVE-2024-26026
08 May 2024 — An SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de inyección SQL en la API (URI) de BIG-IP Next Central Manager. Nota: Las versiones de software que han llegado al final del soporte técnico (EoTS) no se evalúan • https://github.com/passwa11/CVE-2024-26026 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 89%CPEs: 1EXPL: 1CVE-2024-21793 – BIG-IP Central Manager OData Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-21793
08 May 2024 — An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de inyección de OData en la API (URI) del Administrador Central de BIG-IP Next. Nota: Las versiones de software que han llegado al final del soporte técnico (EoTS) no se evalúan. • https://github.com/FeatherStark/CVE-2024-21793 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33612 – BIG-IP Next Central Manager vulnerability
https://notcve.org/view.php?id=CVE-2024-33612
08 May 2024 — An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow an attacker to impersonate an Instance Provider system. A successful exploit of this vulnerability can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de validación de certificados incorrecta en BIG-IP Next Central Manager y puede permitir que un atacante se haga pasar por un sistema de pr... • https://my.f5.com/manage/s/article/K000139012 • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31156 – BIG-IP Configuration utility XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-31156
08 May 2024 — A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de cross site scripting (XSS) almacenado en una página no divulgada de la utilidad de configuración BIG-IP que permite a un atacante ejecutar JavaScript en el contexto del usuario actual... • https://my.f5.com/manage/s/article/K000138636 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-33604 – BIG-IP Configuration utility XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-33604
08 May 2024 — A reflected cross-site scripting (XSS) vulnerability exist in undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de cross site scripting (XSS) reflejado en una página no revelada de la utilidad de configuración BIG-IP que permite a un atacante ejecutar JavaScript en el contexto del usuario actualment... • https://my.f5.com/manage/s/article/K000138894 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28132 – BIG-IP NEXT CNF vulnerability
https://notcve.org/view.php?id=CVE-2024-28132
08 May 2024 — Exposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de exposición de información confidencial en el contenedor GSLB, que puede permitir que un atacante autenticado con acceso local vea información confidencial. Nota: Las versiones de software que han llegado al final del sop... • https://my.f5.com/manage/s/article/K000138913 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-28889 – BIG-IP SSL vulnerability
https://notcve.org/view.php?id=CVE-2024-28889
08 May 2024 — When an SSL profile with alert timeout is configured with a non-default value on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando un perfil SSL con tieF5 Networksmpo de espera de alerta se configura con un valor no predeterminado en un servidor virtual, el tráfico no divulgado junto con condiciones fuera... • https://my.f5.com/manage/s/article/K000138912 • CWE-825: Expired Pointer Dereference •