VYPR

BIG-IP APM

by F5, Inc.

CVEs (15)

  • CVE-2021-22985HigFeb 12, 2021
    risk 0.49cvss 7.5epss 0.01

    On BIG-IP APM version 16.0.x before 16.0.1.1, under certain conditions, when processing VPN traffic with APM, TMM consumes excessive memory. A malicious, authenticated VPN user may abuse this to perform a DoS attack against the APM. Note: Software versions which have reached End…

  • CVE-2020-27723HigDec 24, 2020
    risk 0.49cvss 7.5epss 0.01

    In versions 14.1.0-14.1.3 and 13.1.0-13.1.3.4, a BIG-IP APM virtual server processing PingAccess requests may lead to a restart of the Traffic Management Microkernel (TMM) process.

  • CVE-2020-27716HigDec 24, 2020
    risk 0.49cvss 7.5epss 0.01

    On versions 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.5, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when a BIG-IP APM virtual server processes traffic of an undisclosed nature, the Traffic Management Microkernel (TMM) stops responding and restarts.

  • CVE-2020-5919HigAug 26, 2020
    risk 0.49cvss 7.5epss 0.01

    In versions 15.1.0-15.1.0.4, rendering of certain session variables by BIG-IP APM UI-based agents in an access profile configured with Modern customization, may cause the Traffic Management Microkernel (TMM) to stop responding.

  • CVE-2020-5874HigApr 30, 2020
    risk 0.49cvss 7.5epss 0.01

    On BIG-IP APM 15.0.0-15.0.1.2, 14.1.0-14.1.2.3, and 14.0.0-14.0.1, in certain circumstances, an attacker sending specifically crafted requests to a BIG-IP APM virtual server may cause a disruption of service provided by the Traffic Management Microkernel(TMM).

  • CVE-2020-5892MedApr 30, 2020
    risk 0.44cvss 6.7epss 0.00

    In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory.

  • CVE-2020-27722MedDec 24, 2020
    risk 0.42cvss 6.5epss 0.01

    In BIG-IP APM versions 15.0.0-15.0.1.3, 14.1.0-14.1.3, and 13.1.0-13.1.3.4, under certain conditions, the VDI plugin does not observe plugin flow-control protocol causing excessive resource consumption.

  • CVE-2020-27724MedDec 24, 2020
    risk 0.42cvss 6.5epss 0.01

    In BIG-IP APM versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, on systems running more than one TMM instance, authenticated VPN users may consume excessive resources by sending specially-crafted…

  • CVE-2020-5934MedOct 29, 2020
    risk 0.42cvss 6.5epss 0.00

    On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, when multiple HTTP requests from the same client to configured SAML Single Logout (SLO) URL are passing through a TCP Keep-Alive connection, traffic to TMM can be disrupted.

  • CVE-2020-27729MedDec 24, 2020
    risk 0.40cvss 6.1epss 0.01

    In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, an undisclosed link on the BIG-IP APM virtual server allows a malicious user to build an open redirect URI.

  • CVE-2020-27726MedDec 24, 2020
    risk 0.40cvss 6.1epss 0.01

    In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.

  • CVE-2020-5908MedJul 1, 2020
    risk 0.36cvss 5.5epss 0.00

    In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, Edge Client for Linux exposes full session ID in the local log files.

  • CVE-2020-5924MedAug 26, 2020
    risk 0.35cvss 5.3epss 0.01

    In BIG-IP APM versions 12.1.0-12.1.5.1 and 11.6.1-11.6.5.2, RADIUS authentication leaks memory when the username for authentication is not set.

  • CVE-2020-5889MedApr 30, 2020
    risk 0.35cvss 5.4epss 0.01

    On versions 15.1.0-15.1.0.1, 15.0.0-15.0.1.2, and 14.1.0-14.1.2.3, in BIG-IP APM portal access, a specially crafted HTTP request can lead to reflected XSS after the BIG-IP APM system rewrites the HTTP response from the untrusted backend server and sends it to the client.

  • CVE-2020-5853MedJan 14, 2020
    risk 0.35cvss 5.4epss 0.01

    In BIG-IP APM portal access on versions 15.0.0-15.1.0, 14.0.0-14.1.2.3, 13.1.0-13.1.3.2, 12.1.0-12.1.5, and 11.5.2-11.6.5.1, when backend servers serve HTTP pages with special JavaScript code, this can lead to internal portal access name conflict.