U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:f5:big-ip_application_security_manager:17.0.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 42 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-38423

A cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: August 02, 2023; 12:15:10 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-38419

An authenticated attacker with guest privileges or higher can cause the iControl SOAP process to terminate by sending undisclosed requests.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: August 02, 2023; 12:15:10 PM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2023-38138

A reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: August 02, 2023; 12:15:10 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-29163

When UDP profile with idle timeout set to immediate or the value 0 is configured on a virtual server, undisclosed traffic can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: May 03, 2023; 11:15:13 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-28406

A directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which may allow an authenticated attacker to read files with .xml extension. Access to restricted information is limited and the attacker does not control what information is obtained.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: May 03, 2023; 11:15:12 AM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2023-27378

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in undisclosed pages of the BIG-IP Configuration utility which allow an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: May 03, 2023; 11:15:12 AM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-23552

On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.0 before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a BIG-IP Advanced WAF or BIG-IP ASM security policy is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-22664

On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-22422

On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, when a HTTP profile with the non-default Enforcement options of Enforce HTTP Compliance and Unknown Methods: Reject are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-22418

On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious attacker to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2023-22374

A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 8.5 HIGH
V2.0:(not available)
CVE-2023-22340

On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:11 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-22326

In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource administrator or administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:10 PM -0500
V3.1: 4.9 MEDIUM
V2.0:(not available)
CVE-2023-22323

In BIP-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when OCSP authentication profile is configured on a virtual server, undisclosed requests can cause an increase in CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:10 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2023-22302

In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: February 01, 2023; 1:15:10 PM -0500
V3.1: 5.9 MEDIUM
V2.0:(not available)
CVE-2022-41800

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: December 06, 2022; 11:15:10 PM -0500
V3.1: 8.7 HIGH
V2.0:(not available)
CVE-2022-41622

In all versions,  BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: December 06, 2022; 11:15:10 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-41836

When an 'Attack Signature False Positive Mode' enabled security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.

Published: October 19, 2022; 6:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-41832

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when a SIP profile is configured on a virtual server, undisclosed messages can cause an increase in memory resource utilization.

Published: October 19, 2022; 6:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-41770

In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests.

Published: October 19, 2022; 6:15:12 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)