CVSS: 7.5EPSS: 0%CPEs: 14EXPL: 1CVE-2023-45886
https://notcve.org/view.php?id=CVE-2023-45886
The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute. BGP daemon (bgpd) en IP Infusion ZebOS hasta 7.10.6 permite a atacantes remotos provocar una Denegación de Servicio enviando mensajes de actualización de BGP manipulados que contienen un atributo con formato incorrecto. • https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling https://my.f5.com/manage/s/article/K000137315 https://www.ipinfusion.com/doc_prod_cat/zebos https://www.kb.cert.org/vuls/id/347067 •
CVSS: 8.8EPSS: 0%CPEs: 100EXPL: 1CVE-2023-46748 – F5 BIG-IP Configuration Utility SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-46748
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de inyección SQL autenticada en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado con acceso de red a la utilidad de configuración a través del puerto de administración BIG-IP y/o direcciones IP propias ejecute comandos arbitrarios del sistema. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747. • https://my.f5.com/manage/s/article/K000137365 https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 97%CPEs: 100EXPL: 9CVE-2023-46747 – F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-46747
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Las solicitudes no divulgadas pueden omitir la autenticación de la utilidad de configuración, lo que permite a un atacante con acceso de red al sistema BIG-IP a través del puerto de administración y/o direcciones IP propias ejecutar comandos arbitrarios del sistema. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. • https://github.com/W01fh4cker/CVE-2023-46747-RCE https://github.com/RevoltSecurities/CVE-2023-46747 https://github.com/AliBrTab/CVE-2023-46747-POC https://github.com/maniak-academy/Mitigate-CVE-2023-46747 https://github.com/fu2x2000/CVE-2023-46747 https://github.com/y4v4z/CVE-2023-46747-POC https://github.com/bijaysenihang/CVE-2023-46747-Mass-RCE http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html https://my.f5.com/manage/s/art • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 9.9EPSS: 0%CPEs: 90EXPL: 0CVE-2023-41373 – BIG-IP Configuration Utility vulnerability
https://notcve.org/view.php?id=CVE-2023-41373
A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker to execute commands on the BIG-IP system. For BIG-IP system running in Appliance mode, a successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Existe una vulnerabilidad de directory traversal en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado ejecute comandos en el sistema BIG-IP. Para el sistema BIG-IP que se ejecuta en modo Dispositivo, un exploit exitoso puede permitir al atacante cruzar un límite de seguridad. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan. • https://my.f5.com/manage/s/article/K000135689 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 39EXPL: 0CVE-2023-40534 – BIG-IP HTTP/2 vulnerability
https://notcve.org/view.php?id=CVE-2023-40534
When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando un perfil HTTP/2 del lado del cliente y la opción HTTP MRF Router están habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Política de Tráfico Local está asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalización de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan. • https://my.f5.com/manage/s/article/K000133467 • CWE-401: Missing Release of Memory after Effective Lifetime •