F5: Security Vulnerabilities
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
7.5
EPSS Score
0.008
Published
2024-08-14
The Central Manager user session refresh token does not expire when a user logs out. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS Score
7.5
EPSS Score
0.008
Published
2024-08-14
BIG-IP Next Central Manager may allow an attacker to lock out an account that has never been logged in. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-08-14
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
CVSS Score
6.5
EPSS Score
0.005
Published
2024-05-29
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
CVSS Score
5.3
EPSS Score
0.009
Published
2024-05-29
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
CVSS Score
5.3
EPSS Score
0.004
Published
2024-05-29
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.
CVSS Score
4.8
EPSS Score
0.005
Published
2024-05-29
An improper certificate validation vulnerability exists in BIG-IP Next Central Manager and may allow an attacker to impersonate an Instance Provider system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
6.8
EPSS Score
0.002
Published
2024-05-08
Under certain conditions, a potential data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. However, this issue cannot be exploited by an attacker because it is not consistently reproducible and is beyond an attacker's control. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS Score
6.5
EPSS Score
0.003
Published
2024-05-08
A reflected cross-site scripting (XSS) vulnerability exist in undisclosed page of the BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS Score
6.1
EPSS Score
0.005
Published
2024-05-08