Check CVE Id
Check CWE Id
'Big-ip application security manager'
On BIG-IP 12.1.0-22.214.171.124, undisclosed requests can cause iControl REST processes to crash. The attack can only come from an authenticated user; all roles are capable of performing the attack. Unauthenticated users cannot perform this attack.
On BIG-IP 14.1.0-126.96.36.199, 14.0.0-188.8.131.52, 13.0.0-184.108.40.206, 12.1.0-12.1.4, 11.6.1-220.127.116.11, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.
On BIG-IP 14.1.0-18.104.22.168 and 14.0.0-22.214.171.124, Malformed http requests made to an undisclosed iControl REST endpoint can lead to infinite loop of the restjavad process.
On BIG-IP (ASM) 14.1.0-126.96.36.199, 14.0.0-188.8.131.52, 13.0.0-184.108.40.206, and 12.1.0-12.1.4, Application logic abuse of ASM REST endpoints can lead to instability of BIG-IP system. Exploitation of this issue causes excessive memory consumption which results in the Linux kernel triggering OOM killer on arbitrary processes. The attack requires an authenticated user with role of "Guest" or greater privilege. Note: "No Access" cannot login so technically it's a role but a user with this access role cannot perform the attack.
On BIG-IP (AFM, ASM) 14.1.0-220.127.116.11, 14.0.0-18.104.22.168, 13.0.0-22.214.171.124, 12.1.0-12.1.4, and 11.5.1-11.6.4, a stored cross-site scripting vulnerability in AFM feed list. In the worst case, an attacker can store a CSRF which results in code execution as the admin user. The level of user role which can perform this attack are resource administrator and administrator.
On BIG-IP 14.1.0-126.96.36.199, 14.0.0-188.8.131.52, 13.0.0-184.108.40.206, 12.1.0-12.1.4, 11.6.1-220.127.116.11, and 11.5.1-11.5.8, when the BIG-IP system is licensed for Appliance mode, a user with either the Administrator or the Resource Administrator role can bypass Appliance mode restrictions.
On BIG-IP 14.1.0-18.104.22.168, 14.0.0-22.214.171.124, 13.0.0-126.96.36.199, and 12.1.0-12.1.4, a high volume of malformed analytics report requests leads to instability in restjavad process. This causes issues with both iControl REST and some portions of TMUI. The attack requires an authenticated user with any role.
On BIG-IP 14.1.0-188.8.131.52, 14.0.0-184.108.40.206, 13.0.0-220.127.116.11, 12.1.0-18.104.22.168, and 11.5.1-11.6.4, when the BIG-IP system is licensed with Appliance mode, user accounts with Administrator and Resource Administrator roles can bypass Appliance mode restrictions.
On BIG-IP 14.1.0-22.214.171.124, 14.0.0-126.96.36.199, 13.0.0-188.8.131.52, and 12.1.0-12.1.4, under certain circumstances, attackers can decrypt configuration items that are encrypted because the vCMP configuration unit key is generated with insufficient randomness. The attack prerequisite is direct access to encrypted configuration and/or UCS files.
On BIG-IP 11.5.1-11.6.4, iRules performing HTTP header manipulation may cause an interruption to service when processing traffic handled by a Virtual Server with an associated HTTP profile, in specific circumstances, when the requests do not strictly conform to RFCs.
Back to Top