Check CVE Id
Check CWE Id
In BIG-IP 14.0.0-188.8.131.52, 13.0.0-184.108.40.206, 12.1.0-220.127.116.11, 11.6.1-18.104.22.168, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients.
In BIG-IP 14.0.0-22.214.171.124, 13.0.0-126.96.36.199, 12.1.0-188.8.131.52, 11.6.1-184.108.40.206, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack.
In BIG-IP 13.0.0-220.127.116.11, 12.1.0-18.104.22.168, 11.6.1-22.214.171.124, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
On BIG-IP 11.5.1-126.96.36.199, 188.8.131.52-184.108.40.206, 13.0.0 HF1-220.127.116.11, and 14.0.0-18.104.22.168, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances.
On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE.)
On BIG-IP 14.1.0-22.214.171.124, TMM may restart and produce a core file when validating SSL certificates in client SSL or server SSL profiles.
On BIG-IP 14.0.0-126.96.36.199, 13.0.0-188.8.131.52, 12.1.0-184.108.40.206, and 11.6.0-220.127.116.11, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility.
On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system's user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.
On BIG-IP 14.0.0-18.104.22.168, 13.0.0-22.214.171.124, or 12.1.0-126.96.36.199, when a virtual server using the inflate functionality to process a gzip bomb as a payload, the BIG-IP system will experience a fatal error and may cause the Traffic Management Microkernel (TMM) to produce a core file.
On BIG-IP 14.0.0-188.8.131.52, 13.0.0-184.108.40.206, or 12.1.0-220.127.116.11, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.
Back to Top