CVSS: 8.8EPSS: 0%CPEs: 100EXPL: 1CVE-2023-46748 – F5 BIG-IP Configuration Utility SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-46748
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Existe una vulnerabilidad de inyección SQL autenticada en la utilidad de configuración BIG-IP que puede permitir que un atacante autenticado con acceso de red a la utilidad de configuración a través del puerto de administración BIG-IP y/o direcciones IP propias ejecute comandos arbitrarios del sistema. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747. • https://my.f5.com/manage/s/article/K000137365 https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 97%CPEs: 100EXPL: 9CVE-2023-46747 – F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-46747
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Las solicitudes no divulgadas pueden omitir la autenticación de la utilidad de configuración, lo que permite a un atacante con acceso de red al sistema BIG-IP a través del puerto de administración y/o direcciones IP propias ejecutar comandos arbitrarios del sistema. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. • https://github.com/W01fh4cker/CVE-2023-46747-RCE https://github.com/RevoltSecurities/CVE-2023-46747 https://github.com/AliBrTab/CVE-2023-46747-POC https://github.com/maniak-academy/Mitigate-CVE-2023-46747 https://github.com/fu2x2000/CVE-2023-46747 https://github.com/y4v4z/CVE-2023-46747-POC https://github.com/bijaysenihang/CVE-2023-46747-Mass-RCE http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html https://my.f5.com/manage/s/art • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 4.4EPSS: 0%CPEs: 76EXPL: 0CVE-2023-45219 – BIG-IP tmsh vulnerability
https://notcve.org/view.php?id=CVE-2023-45219
Exposure of Sensitive Information vulnerability exist in an undisclosed BIG-IP TMOS shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. La vulnerabilidad de exposición a información confidencial existe en un comando de BIG-IP TMOS shell (tmsh) no divulgado que puede permitir que un atacante autenticado con privilegios de administrador de recursos vea información confidencial. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan. • https://my.f5.com/manage/s/article/K20307245 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.7EPSS: 0%CPEs: 54EXPL: 0CVE-2023-43746 – BIG-IP Appliance mode external monitor vulnerability
https://notcve.org/view.php?id=CVE-2023-43746
When running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing BIG-IP external monitor on a BIG-IP system. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Cuando se ejecuta en modo Appliance, un usuario autenticado al que se le haya asignado la función de Administrator puede evitar las restricciones del modo Appliance, utilizando el monitor externo BIG-IP en un sistema BIG-IP. Un exploit exitoso puede permitir al atacante cruzar un límite de seguridad. • https://my.f5.com/manage/s/article/K41072952 • CWE-267: Privilege Defined With Unsafe Actions •
CVSS: 7.8EPSS: 0%CPEs: 78EXPL: 0CVE-2023-43611 – BIG-IP Edge Client for macOS vulnerability
https://notcve.org/view.php?id=CVE-2023-43611
The BIG-IP Edge Client Installer on macOS does not follow best practices for elevating privileges during the installation process. This vulnerability is due to an incomplete fix for CVE-2023-38418. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated El instalador del cliente BIG-IP Edge en macOS no sigue las mejores prácticas para elevar los privilegios durante el proceso de instalación. Esta vulnerabilidad se debe a una solución incompleta para CVE-2023-38418. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se evalúan • https://my.f5.com/manage/s/article/K000136185 • CWE-347: Improper Verification of Cryptographic Signature •