On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On version 14.1.x before 14.1.4.4 and all versions of 13.1.x, an open redirect vulnerability exists on virtual servers enabled with a BIG-IP APM access policy. This vulnerability allows an unauthenticated malicious user to build an open redirect URI. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. This is due to an incomplete fix for CVE-2020-5862. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, when GPRS Tunneling Protocol (GTP) iRules commands or a GTP profile is configured on a virtual server, undisclosed GTP messages can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, the BIG-IP Edge Client Windows Installer Service's temporary folder has weak file and folder permissions. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On version 8.0.x before 8.0.0.1, and all 6.x and 7.x versions, the BIG-IQ Configuration utility has an authenticated remote command execution vulnerability in undisclosed pages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

On version 7.2.1.x before 7.2.1.3 and 7.1.x before 7.1.9.9 Update 1, a DLL hijacking issue exists in cachecleaner.dll included in the BIG-IP Edge Client Windows Installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.

The Nginx Controller 3.x before 3.7.0 agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.