CVSS: 9.0EPSS: 49%CPEs: 100EXPL: 1CVE-2023-46748 – F5 BIG-IP Configuration Utility SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-46748
26 Oct 2023 — An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de inyección SQL autenticada en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado c... • https://my.f5.com/manage/s/article/K000137365 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 94%CPEs: 100EXPL: 12CVE-2023-46747 – F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-46747
26 Oct 2023 — Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Las solicitudes no divulgadas pueden omitir la autenticación de la utilidad de configuración, lo que permite a un atacante con acceso de red al sistema BIG-IP a través del puerto de administración... • https://packetstorm.news/files/id/177444 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 9.9EPSS: 13%CPEs: 90EXPL: 0CVE-2023-41373 – BIG-IP Configuration Utility vulnerability
https://notcve.org/view.php?id=CVE-2023-41373
10 Oct 2023 — A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de directory traversal en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado ej... • https://my.f5.com/manage/s/article/K000135689 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 39EXPL: 0CVE-2023-40534 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2023-40534
10 Oct 2023 — When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando un perfil HTTP/2 del lado del cliente y la opción HTTP MRF Router están habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST ... • https://my.f5.com/manage/s/article/K000133467 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5450 – BIG-IP Edge Client for macOS vulnerability
https://notcve.org/view.php?id=CVE-2023-5450
10 Oct 2023 — An insufficient verification of data vulnerability exists in BIG-IP Edge Client Installer on macOS that may allow an attacker elevation of privileges during the installation process. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una verificación insuficiente de la vulnerabilidad de los datos en BIG-IP Edge Client Installer en macOS que puede permitir que un atacante aumente sus privilegios durante el proceso de instalación. Nota: Las versiones de softwa... • https://my.f5.com/manage/s/article/K000135040 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-43125 – BIG-IP APM Clients TunnelCrack vulnerability
https://notcve.org/view.php?id=CVE-2023-43125
27 Sep 2023 — BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Los clientes BIG-IP APM pueden enviar tráfico IP fuera del túnel VPN. Nota: Las versiones de software que han llegado al Final del Soporte Técnico (EoTS) no se evalúan • https://my.f5.com/manage/s/article/K000136909 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2023-43124 – BIG-IP APM Clients TunnelCrack vulnerability
https://notcve.org/view.php?id=CVE-2023-43124
27 Sep 2023 — BIG-IP APM clients may send IP traffic outside of the VPN tunnel. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Los clientes BIG-IP APM pueden enviar tráfico IP fuera del túnel VPN. Nota: Las versiones de software que han llegado al Final del Soporte Técnico (EoTS) no se evalúan • https://my.f5.com/manage/s/article/K000136907 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 95EXPL: 0CVE-2023-38423 – BIG-IP Configuration utility vulnerability
https://notcve.org/view.php?id=CVE-2023-38423
02 Aug 2023 — A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de Cross-Site Scripting (XSS) en una página no revelada de la utilidad de configuración de BIG-IP que permite a un atacante ejecutar JavaScript en el contexto del usuario actualmente conectado.... • https://my.f5.com/manage/s/article/K000134535 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 96EXPL: 0CVE-2023-38419 – BIG-IP and BIG-IQ iControl SOAP vulnerability
https://notcve.org/view.php?id=CVE-2023-38419
02 Aug 2023 — An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Un atacante autenticado con privilegios de invitado o superior puede provocar la finalización del proceso iControl SOAP mediante el envío de solicitudes no reveladas. Nota: No se evalúan las versiones de software que han alcanzado el fin del soporte técnico (EoTS). • https://my.f5.com/manage/s/article/K000133472 • CWE-755: Improper Handling of Exceptional Conditions •