F5: >> Big-Ip Access Policy Manager Client >> 7.1.5 Security Vulnerabilities
On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, a DLL Hijacking vulnerability exists in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS Score
7.3
EPSS Score
0.005
Published
2022-05-05
On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Service's temporary folder has weak file and folder permissions.
CVSS Score
7.8
EPSS Score
0.001
Published
2020-05-12
In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability in the BIG-IP Edge Client Windows ActiveX component.
CVSS Score
8.8
EPSS Score
0.009
Published
2020-05-12
In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver does not sanitize the pointer received from the userland. A local user on the Windows client system can send crafted DeviceIoControl requests to \\.\urvpndrv device causing the Windows kernel to crash.
CVSS Score
5.5
EPSS Score
0.001
Published
2020-05-12
In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP APM, Edge Gateway, and FirePass legacy allow attackers to obtain the full session ID from process memory.
CVSS Score
6.7
EPSS Score
0.001
Published
2020-04-30
In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Edge Client over an unsecure network, BIG-IP Edge Client responds to authentication requests over HTTP while sending probes for captive portal detection.
CVSS Score
3.7
EPSS Score
0.001
Published
2020-04-30
When the Windows Logon Integration feature is configured for all versions of BIG-IP Edge Client for Windows, unauthorized users who have physical access to an authorized user's machine can get shell access under unprivileged user.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-02-06
BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12.1.0-12.1.5, and 11.5.1-11.6.5. In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. Client version 7.1.8 (7180.2019.508.705) and later has the fix.
CVSS Score
7.5
EPSS Score
0.005
Published
2019-09-25
The svpn component of the F5 BIG-IP APM client prior to version 7.1.7.2 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host in a race condition.
CVSS Score
7.0
EPSS Score
0.001
Published
2018-12-06
In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge Client 7101-7160, the BIG-IP APM Edge Client component loads the policy library with user permission and bypassing the endpoint checks.
CVSS Score
5.5
EPSS Score
0.002
Published
2018-10-19
Page 1