F5 Big-Ip Analytics vulnerabilities
472 known vulnerabilities affecting f5/big-ip_analytics.
Total CVEs
472
CISA KEV
11
actively exploited
Public exploits
18
Exploited in wild
11
Severity breakdown
CRITICAL38HIGH263MEDIUM166LOW5
Vulnerabilities
Page 5 of 24
CVE-2023-22374HIGHCVSS 8.5≥ 14.1.4.6, ≤ 14.1.5≥ 15.1.5.1, ≤ 15.1.8+3 more2023-02-01
CVE-2023-22374 [HIGH] CWE-134 CVE-2023-22374:
A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to cras
A format string vulnerability exists in iControl SOAP that allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially execute arbitrary code. In appliance mode BIG-IP, a successful exploit of this vulnerability can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical
nvd
CVE-2023-23555HIGHCVSS 7.5≥ 14.1.5, < 14.1.5.3≥ 15.1.4, < 15.1.82023-02-01
CVE-2023-23555 [HIGH] CWE-665 CVE-2023-23555: On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning i
On BIG-IP Virtual Edition versions 15.1x beginning in 15.1.4 to before 15.1.8 and 14.1.x beginning in 14.1.5 to before 14.1.5.3, and BIG-IP SPK beginning in 1.5.0 to before 1.6.0, when FastL4 profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which hav
nvd
CVE-2023-22664HIGHCVSS 7.5≥ 16.1.0, < 16.1.3.3≥ 17.0.0, < 17.0.0.22023-02-01
CVE-2023-22664 [HIGH] CWE-400 CVE-2023-22664: On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in ver
On BIG-IP versions 17.0.x before 17.0.0.2 and 16.1.x before 16.1.3.3, and BIG-IP SPK starting in version 1.6.0, when a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support
nvd
CVE-2023-22842HIGHCVSS 7.5≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.3+2 more2023-02-01
CVE-2023-22842 [HIGH] CWE-121 CVE-2023-22842: On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all v
On BIG-IP versions 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, when a SIP profile is configured on a Message Routing type virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS)
nvd
CVE-2023-22326MEDIUMCVSS 4.9≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.3+3 more2023-02-01
CVE-2023-22326 [MEDIUM] CWE-732 CVE-2023-22326: In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x be
In BIG-IP versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.8.1, 14.1.x before 14.1.5.3, and all versions of 13.1.x, and all versions of BIG-IQ 8.x and 7.1.x, incorrect permission assignment vulnerabilities exist in the iControl REST and TMOS shell (tmsh) dig command which may allow an authenticated attacker with resource a
nvd
CVE-2023-22302MEDIUMCVSS 5.9≥ 16.1.2.2, < 16.1.3.3≥ 17.0.0, < 17.0.0.22023-02-01
CVE-2023-22302 [MEDIUM] CWE-772 CVE-2023-22302: In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when
In BIG-IP versions 17.0.x before 17.0.0.2, and 16.1.x beginning in 16.1.2.2 to before 16.1.3.3, when an HTTP profile is configured on a virtual server and conditions beyond the attacker’s control exist on the target pool member, undisclosed requests sent to the BIG-IP system can cause the Traffic Management Microkernel (TMM) to terminate. Note: Soft
nvd
CVE-2023-22418MEDIUMCVSS 6.1≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.3+3 more2023-02-01
CVE-2023-22418 [MEDIUM] CWE-601 CVE-2023-22418: On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1
On versions 17.0.x before 17.0.0.2, 16.1.x before 16.1.3.3, 15.1.x before 15.1.7, 14.1.x before 14.1.5.3, and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious attacker to build an open redirect URI. Note: Software versions
nvd
CVE-2022-41800HIGHCVSS 8.7PoC≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5+3 more2022-12-07
CVE-2022-41800 [HIGH] CWE-77 CVE-2022-41800:
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Admin
In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Suppor
nvd
CVE-2022-41622HIGHCVSS 8.8≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, ≤ 14.1.5+3 more2022-12-07
CVE-2022-41622 [HIGH] CWE-352 CVE-2022-41622: In all versions,
BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks thr
In all versions,
BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nvd
CVE-2022-36795HIGHCVSS 7.5≥ 14.1.0, < 14.1.5.1≥ 15.1.0, < 15.1.7+2 more2022-10-19
CVE-2022-36795 [HIGH] CWE-682 CVE-2022-36795: In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, and 14.1.x before 14.1.5.1, when an LTM TCP profile with Auto Receive Window Enabled is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.
nvd
CVE-2022-41624HIGHCVSS 7.5≥ 13.1.0, < 13.1.5.1≥ 14.1.0, < 14.1.5.2+3 more2022-10-19
CVE-2022-41624 [HIGH] CWE-401 CVE-2022-41624: In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x befo
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.2, 15.1.x before 15.1.7, 14.1.x before 14.1.5.2, and 13.1.x before 13.1.5.1, when a sideband iRule is configured on a virtual server, undisclosed traffic can cause an increase in memory resource utilization.
nvd
CVE-2022-41833HIGHCVSS 7.5≥ 13.1.0, ≤ 13.1.52022-10-19
CVE-2022-41833 [HIGH] CWE-400 CVE-2022-41833: In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a
In all BIG-IP 13.1.x versions, when an iRule containing the HTTP::collect command is configured on a virtual server, undisclosed requests can cause Traffic Management Microkernel (TMM) to terminate.
nvd
CVE-2022-41832HIGHCVSS 7.5≥ 13.1.0, < 13.1.5.1≥ 14.1.0, < 14.1.5.1+3 more2022-10-19
CVE-2022-41832 [HIGH] CWE-401 CVE-2022-41832: In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x be
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1, when a SIP profile is configured on a virtual server, undisclosed messages can cause an increase in memory resource utilization.
nvd
CVE-2022-41770MEDIUMCVSS 6.5≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.1+3 more2022-10-19
CVE-2022-41770 [MEDIUM] CWE-400 CVE-2022-41770: In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x befo
In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ all versions of 8.x and 7.x, an authenticated iControl REST user can cause an increase in memory resource utilization, via undisclosed requests.
nvd
CVE-2022-41694MEDIUMCVSS 4.9≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5+2 more2022-10-19
CVE-2022-41694 [MEDIUM] CWE-20 CVE-2022-41694: In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versi
In BIG-IP versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, and BIG-IQ versions 8.x before 8.2.0.1 and all versions of 7.x, when an SSL key is imported on a BIG-IP or BIG-IQ system, undisclosed input can cause MCPD to terminate.
nvd
CVE-2022-41983LOWCVSS 3.7≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.1+2 more2022-10-19
CVE-2022-41983 [LOW] CWE-319 CVE-2022-41983: On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.
On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied.
nvd
CVE-2022-34865CRITICALCVSS 9.1≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5+1 more2022-08-04
CVE-2022-34865 [CRITICAL] CWE-295 CVE-2022-34865: In BIG-IP Versions 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, Traffic
In BIG-IP Versions 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, Traffic Intelligence feeds, which use HTTPS, do not verify the remote endpoint identity, allowing for potential data poisoning. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nvd
CVE-2022-35728CRITICALCVSS 9.8≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5.1+3 more2022-08-04
CVE-2022-35728 [CRITICAL] CWE-613 CVE-2022-35728: In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x be
In BIG-IP Versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and all versions of 13.1.x, and BIG-IQ version 8.x before 8.2.0 and all versions of 7.x, an authenticated user's iControl REST token may remain valid for a limited time after logging out from the Configuration utility. Note: Software
nvd
CVE-2022-35243CRITICALCVSS 9.1≥ 13.1.0, ≤ 13.1.5≥ 14.1.0, < 14.1.5+2 more2022-08-04
CVE-2022-35243 [CRITICAL] CWE-269 CVE-2022-35243: In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versi
In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross
nvd
CVE-2022-35240HIGHCVSS 7.5≥ 14.1.0, < 14.1.5≥ 15.1.0, < 15.1.6.1+1 more2022-08-04
CVE-2022-35240 [HIGH] CWE-404 CVE-2022-35240: In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5, when th
In BIG-IP Versions 16.1.x before 16.1.2.2, 15.1.x before 15.1.6.1, and 14.1.x before 14.1.5, when the Message Routing (MR) Message Queuing Telemetry Transport (MQTT) profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (
nvd