Severity
Medium
Analysis Summary
CVE-2024-37028 CVSS:5.3
F5 BIG-IP Next Central Manager is vulnerable to a denial of service. By sending a specially crafted request, an remote attacker could exploit this vulnerability to lock out a BIG-IP Next Central Manager webUI account.
CVE-2024-41719 CVSS:4.2
F5 BIG-IP Next Central Manager could allow a local authenticated attacker to obtain sensitive information, caused by the insertion of sensitive information into log file. By accessing the log files, a local authenticated attacker could exploit this vulnerability to obtain sensitive information.
CVE-2024-7347 CVSS:4.7
F5 NGINX Plus and NGINX Open Source are vulnerable to a denial of service, caused by a buffer over-read flaw in the ngx_http_mp4_module. By using a specially crafted mp4 file, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVE-2024-41164 CVSS:5.9
F5 BIG-IP is vulnerable to a denial of service, caused by a flaw when a TCP profile with Multipath TCP enabled (MPTCP) is configured on a virtual server. By sending a specially crafted request, an remote attacker could exploit this vulnerability to cause TMM to terminate.
CVE-2024-41723 CVSS:4.3
F5 BIG-IP could allow a remote authenticated attacker to obtain sensitive information. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
Impact
- Denial of Service
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-37028
- CVE-2024-41719
- CVE-2024-7347
- CVE-2024-41164
- CVE-2024-41723
Affected Vendors
Affected Products
- F5 NGINX Plus R27
- F5 NGINX Plus R32
- F5 BIG-IP Next Central Manager - 20.2.0
- F5 NGINX Open Source 1.26.1
- F5 NGINX Open Source 1.5.13
- F5 BIG-IP - 15.1.9
- F5 BIG-IP - 16.1.4
- F5 BIG-IP Next CNF - 1.1.1
- F5 BIG-IP - 15.1.10
Remediation
Refer to F5 Security Advisory Security for patch, upgrade or suggested workaround information.