National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.1
There are 92 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2019-6647

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.2, 12.1.0-12.1.4.1, 11.5.2-11.6.4, when processing authentication attempts for control-plane users MCPD leaks a small amount of memory. Under rare conditions attackers with access to the management interface could eventually deplete memory on the system.

Published: September 04, 2019; 01:15:11 PM -04:00
V3.1: 5.3 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-6640

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, SNMP exposes sensitive configuration objects over insecure transmission channels. This issue is exposed when a passphrase is inserted into various profile types and accessed using SNMPv2.

Published: July 03, 2019; 03:15:13 PM -04:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2019-6639

On BIG-IP (AFM, PEM) 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, 11.6.1-11.6.3.4, and 11.5.1-11.5.8, an undisclosed TMUI pages for AFM and PEM Subscriber management are vulnerable to a stored cross-site scripting (XSS) issue. This is a control plane issue only and is not accessible from the data plane. The attack requires a malicious resource administrator to store the XSS.

Published: July 03, 2019; 03:15:13 PM -04:00
V3.0: 4.8 MEDIUM
    V2: 3.5 LOW
CVE-2019-6625

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12.1.4, and 11.5.1-11.6.4, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Traffic Management User Interface (TMUI) also known as the BIG-IP Configuration utility.

Published: July 03, 2019; 02:15:10 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-6622

On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12.1.4.1, and 11.5.1-11.6.4, an undisclosed iControl REST worker is vulnerable to command injection by an administrator or resource administrator user. This attack is only exploitable on multi-bladed systems.

Published: July 02, 2019; 05:15:11 PM -04:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2019-6608

On BIG-IP 11.5.1-11.6.3, 12.1.0-12.1.3, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, the snmpd daemon may leak memory on a multi-blade BIG-IP vCMP guest when processing authorized SNMP requests.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 5.9 MEDIUM
    V2: 7.1 HIGH
CVE-2019-6606

On BIG-IP 11.5.1-11.6.3.4, 12.1.0-12.1.3.7, 13.0.0-13.1.1.3, and 14.0.0-14.0.0.2, when processing certain SNMP requests with a request-id of 0, the snmpd process may leak a small amount of memory.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-6605

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, and 12.0.x, an undisclosed sequence of packets received by an SSL virtual server and processed by an associated Client SSL or Server SSL profile may cause a denial of service.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-6604

On BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3.6, 13.0.0-13.1.1.1, and 14.0.0-14.0.0.2, under certain conditions, hardware systems with a High-Speed Bridge and using non-default Layer 2 forwarding configurations may experience a lockup of the High-Speed Bridge.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 6.8 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-6603

In BIG-IP 11.5.1-11.5.8, 11.6.1-11.6.3, 12.1.0-12.1.3, and 13.0.0-13.0.1, malformed TCP packets sent to a self IP address or a FastL4 virtual server may cause an interruption of service. The control plane is not exposed to this issue. This issue impacts the data plane virtual servers and self IPs.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-6602

In BIG-IP 11.5.1-11.5.8 and 11.6.1-11.6.3, the Configuration Utility login page may not follow best security practices when handling a malicious request.

Published: March 28, 2019; 05:29:00 PM -04:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2019-6600

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8, when remote authentication is enabled for administrative users and all external users are granted the "guest" role, unsanitized values can be reflected to the client via the login page. This can lead to a cross-site scripting attack against unauthenticated clients.

Published: March 13, 2019; 06:29:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-6598

In BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, malformed requests to the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, may lead to disruption of TMUI services. This attack requires an authenticated user with any role (other than the No Access role). The No Access user role cannot login and does not have the access level to perform the attack.

Published: March 13, 2019; 06:29:00 PM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2019-6597

In BIG-IP 13.0.0-13.1.1.1, 12.1.0-12.1.3.7, 11.6.1-11.6.3.2, or 11.5.1-11.5.8 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, restrictions on allowed commands may not be enforced.

Published: March 13, 2019; 06:29:00 PM -04:00
V3.0: 7.2 HIGH
    V2: 6.5 MEDIUM
CVE-2019-6594

On BIG-IP 11.5.1-11.6.3.2, 12.1.3.4-12.1.3.7, 13.0.0 HF1-13.1.1.1, and 14.0.0-14.0.0.2, Multi-Path TCP (MPTCP) does not protect against multiple zero length DATA_FINs in the reassembly queue, which can lead to an infinite loop in some circumstances.

Published: February 26, 2019; 10:29:00 AM -05:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2019-6593

On BIG-IP 11.5.1-11.5.4, 11.6.1, and 12.1.0, a virtual server configured with a Client SSL profile may be vulnerable to a chosen ciphertext attack against CBC ciphers. When exploited, this may result in plaintext recovery of encrypted messages through a man-in-the-middle (MITM) attack, despite the attacker not having gained access to the server's private key itself. (CVE-2019-6593 also known as Zombie POODLE and GOLDENDOODLE.)

Published: February 26, 2019; 10:29:00 AM -05:00
V3.0: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2018-15333

On versions 11.2.1. and greater, unrestricted Snapshot File Access allows BIG-IP system's user with any role, including Guest Role, to have access and download previously generated and available snapshot files on the BIG-IP configuration utility such as QKView and TCPDumps.

Published: December 28, 2018; 10:29:00 AM -05:00
V3.0: 5.5 MEDIUM
    V2: 2.1 LOW
CVE-2018-15328

On BIG-IP 14.0.x, 13.x, 12.x, and 11.x, Enterprise Manager 3.1.1, BIG-IQ 6.x, 5.x, and 4.x, and iWorkflow 2.x, the passphrases for SNMPv3 users and trap destinations that are used for authentication and privacy are not handled by the BIG-IP system Secure Vault feature; they are written in the clear to the various configuration files.

Published: December 12, 2018; 09:29:00 AM -05:00
V3.0: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2018-15322

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.7, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 6.0.0-6.0.1, 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.0.1-2.3.0, or Enterprise Manager 3.1.1 a BIG-IP user granted with tmsh access may cause the BIG-IP system to experience denial-of-service (DoS) when the BIG-IP user uses the tmsh utility to run the edit cli preference command and proceeds to save the changes to another filename repeatedly. This action utilises storage space on the /var partition and when performed repeatedly causes the /var partition to be full.

Published: October 31, 2018; 10:29:00 AM -04:00
V3.0: 6.5 MEDIUM
    V2: 4.0 MEDIUM
CVE-2018-15321

When BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or 11.2.1-11.5.6, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, iWorkflow 2.1.0-2.3.0, or Enterprise Manager 3.1.1 is licensed for Appliance Mode, Admin and Resource administrator roles can by-pass BIG-IP Appliance Mode restrictions to overwrite critical system files. Attackers of high privilege level are able to overwrite critical system files which bypasses security controls in place to limit TMSH commands. This is possible with an administrator or resource administrator roles when granted TMSH. Resource administrator roles must have TMSH access in order to perform this attack.

Published: October 31, 2018; 10:29:00 AM -04:00
V3.0: 4.9 MEDIUM
    V2: 5.5 MEDIUM