VYPR

Vendor CVEs

F5, Inc.

All CVEs

761 total · sorted by risk
  • CVE-2025-23419Feb 5, 2025
    risk 0.00cvss epss 0.03

    When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets…

  • CVE-2025-23413Feb 5, 2025
    risk 0.00cvss epss 0.00

    When users log in through the webUI or API using local authentication, BIG-IP Next Central Manager may log sensitive information in the pgaudit log files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-24319Feb 5, 2025
    risk 0.00cvss epss 0.00

    When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2025-24320Feb 5, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability is due to an incomplete fix for CVE-2024-31156…

  • CVE-2025-24497Feb 5, 2025
    risk 0.00cvss epss 0.00

    When URL categorization is configured on a virtual server, undisclosed requests can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-24312Feb 5, 2025
    risk 0.00cvss epss 0.00

    When BIG-IP AFM is provisioned with IPS module enabled and protocol inspection profile is configured on a virtual server or firewall rule or policy, undisclosed traffic can cause an increase in CPU resource utilization.   Note: Software versions which have reached End of…

  • CVE-2025-22846Feb 5, 2025
    risk 0.00cvss epss 0.00

    When SIP Session and Router ALG profiles are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2025-23412Feb 5, 2025
    risk 0.00cvss epss 0.00

    When BIG-IP APM Access Profile is configured on a virtual server, undisclosed request can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-23239Feb 5, 2025
    risk 0.00cvss epss 0.01

    When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software…

  • CVE-2025-24326Feb 5, 2025
    risk 0.00cvss epss 0.00

    When BIG-IP Advanced WAF/ASM Behavioral DoS (BADoS) TLS Signatures feature is configured, undisclosed traffic can case an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2025-20045Feb 5, 2025
    risk 0.00cvss epss 0.00

    When SIP session Application Level Gateway mode (ALG) profile with Passthru Mode enabled and SIP router ALG profile are configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software…

  • CVE-2025-22891Feb 5, 2025
    risk 0.00cvss epss 0.00

    When BIG-IP PEM Control Plane listener Virtual Server is configured with Diameter Endpoint profile, undisclosed traffic can cause the Virtual Server to stop processing new client connections and an increase in memory resource utilization. Note: Software versions which have…

  • CVE-2025-20058Feb 5, 2025
    risk 0.00cvss epss 0.00

    When a BIG-IP message routing profile is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

  • CVE-2025-23415Feb 5, 2025
    risk 0.00cvss epss 0.00

    An insufficient verification of data authenticity vulnerability exists in BIG-IP APM Access Policy endpoint inspection that may allow an attacker to bypass endpoint inspection checks for VPN connection initiated thru BIG-IP APM browser network access VPN client for Windows,…

  • CVE-2025-21091Feb 5, 2025
    risk 0.00cvss epss 0.00

    When SNMP v1 or v2c are disabled on the BIG-IP, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

  • CVE-2025-21087Feb 5, 2025
    risk 0.00cvss epss 0.00

    When Client or Server SSL profiles are configured on a Virtual Server, or DNSSEC signing operations are in use, undisclosed traffic can cause an increase in memory and CPU resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are…

  • CVE-2024-10318Nov 6, 2024
    risk 0.00cvss epss 0.00

    A session fixation issue was discovered in the NGINX OpenID Connect reference implementation, where a nonce was not checked at login time. This flaw allows an attacker to fix a victim's session to an attacker-controlled account. As a result, although the attacker cannot log in…

  • CVE-2024-45844Oct 16, 2024
    risk 0.00cvss epss 0.11

    BIG-IP monitor functionality may allow an attacker to bypass access control restrictions, regardless of the port lockdown settings.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-47139Oct 16, 2024
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IQ Configuration utility that allows an attacker with the Administrator role to run JavaScript in the context of the currently logged-in user.   Note: Software versions which have…

  • CVE-2024-7347Aug 14, 2024
    risk 0.00cvss epss 0.00

    NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the…

  • CVE-2024-39792Aug 14, 2024
    risk 0.00cvss epss 0.01

    When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-37028Aug 14, 2024
    risk 0.00cvss epss 0.00

    BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-39809Aug 14, 2024
    risk 0.00cvss epss 0.00

    The Central Manager user session refresh token does not expire when a user logs out.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

  • CVE-2024-41719Aug 14, 2024
    risk 0.00cvss epss 0.00

    When generating QKView of BIG-IP Next instance from the BIG-IP Next Central Manager (CM), F5 iHealth credentials will be logged in the BIG-IP Central Manager logs.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-41727Aug 14, 2024
    risk 0.00cvss epss 0.00

    In BIG-IP tenants running on r2000 and r4000 series hardware, or BIG-IP Virtual Edition (VEs) using Intel E810 SR-IOV NIC, undisclosed traffic can cause an increase in memory resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS)…

  • CVE-2024-41164Aug 14, 2024
    risk 0.00cvss epss 0.00

    When TCP profile with Multipath TCP enabled (MPTCP) is configured on a Virtual Server, undisclosed traffic along with conditions beyond the attackers control can cause TMM to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2024-39778Aug 14, 2024
    risk 0.00cvss epss 0.00

    When a stateless virtual server is configured on BIG-IP system with a High-Speed Bridge (HSB), undisclosed requests can cause TMM to terminate.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-41723Aug 14, 2024
    risk 0.00cvss epss 0.00

    Undisclosed requests to BIG-IP iControl REST can lead to information leak of user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-34161May 29, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

  • CVE-2024-35200May 29, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

  • CVE-2024-32760May 29, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.

  • CVE-2024-31079May 29, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining…

  • CVE-2024-32761May 8, 2024
    risk 0.00cvss epss 0.00

    Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occurs, it may leak up to 64 bytes of non-contiguous…

  • CVE-2024-33612May 8, 2024
    risk 0.00cvss epss 0.00

    An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow an attacker to impersonate an Instance Provider system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-31156May 8, 2024
    risk 0.00cvss epss 0.01

    A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support…

  • CVE-2024-33604May 8, 2024
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability exist in undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support…

  • CVE-2024-28889May 8, 2024
    risk 0.00cvss epss 0.00

    When an SSL profile with alert timeout is configured with a non-default value on a virtual server, undisclosed traffic along with conditions beyond the attacker's control can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have…

  • CVE-2024-32049May 8, 2024
    risk 0.00cvss epss 0.01

    BIG-IP Next Central Manager (CM) may allow an unauthenticated, remote attacker to obtain the BIG-IP Next LTM/WAF instance credentials.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-27202May 8, 2024
    risk 0.00cvss epss 0.00

    A DOM-based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user.  Note: Software versions which have reached End of Technical Support…

  • CVE-2024-25560May 8, 2024
    risk 0.00cvss epss 0.01

    When BIG-IP AFM is licensed and provisioned, undisclosed DNS traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-33608May 8, 2024
    risk 0.00cvss epss 0.01

    When IPsec is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

  • CVE-2024-28883May 8, 2024
    risk 0.00cvss epss 0.00

    An origin validation vulnerability exists in BIG-IP APM browser network access VPN client for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. Note: Software versions which have reached End of Technical Support (EoTS) are not…

  • CVE-2024-23982Feb 14, 2024
    risk 0.00cvss epss 0.01

    When a BIG-IP PEM classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This issue affects classification engines using signatures released between 09-08-2022 and 02-16-2023. See the…

  • CVE-2024-24990Feb 14, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC…

  • CVE-2024-24989Feb 14, 2024
    risk 0.00cvss epss 0.01

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC…

  • CVE-2024-21763Feb 14, 2024
    risk 0.00cvss epss 0.01

    When BIG-IP AFM Device DoS or DoS profile is configured with NXDOMAIN attack vector and bad actor detection, undisclosed queries can cause the Traffic Management Microkernel (TMM) to terminate.  NOTE: Software versions which have reached End of Technical Support (EoTS) are…

  • CVE-2024-23805Feb 14, 2024
    risk 0.00cvss epss 0.01

    Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. For the Application Visibility and Reporting module, this may occur when the HTTP Analytics profile with URLs enabled under Collected Entities is configured on a virtual server and the DB…

  • CVE-2024-21789Feb 14, 2024
    risk 0.00cvss epss 0.01

    When a BIG-IP ASM/Advanced WAF security policy is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

  • CVE-2024-23308Feb 14, 2024
    risk 0.00cvss epss 0.01

    When a BIG-IP Advanced WAF or BIG-IP ASM policy with a Request Body Handling option is attached to a virtual server, undisclosed requests can cause the BD process to terminate. The condition results from setting the Request Body Handling option in the Header-Based Content…

  • CVE-2024-23603Feb 14, 2024
    risk 0.00cvss epss 0.00

    An SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Page 6 of 16