Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-40534— BIG-IP HTTP/2 vulnerability

CVSS 7.5 · High EPSS 0.57% · P69
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-40534

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
BIG-IP HTTP/2 vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在移除最后引用时对内存的释放不恰当(内存泄露)
Source: NVD (National Vulnerability Database)
Vulnerability Title
F5 BIG-IP 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
F5 BIG-IP是美国F5公司的一款集成了网络流量管理、应用程序安全管理、负载均衡等功能的应用交付平台。 F5 BIG-IP 存在安全漏洞,该漏洞源于当为虚拟服务器启用客户端 HTTP/2 配置文件和 HTTP MRF 路由器选项,并且使用 HTTP_REQUEST 事件或本地流量策略的 iRule 与虚拟服务器关联时,未公开的请求可能会导致流量管理微内核 (TMM ) 终止。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
F5BIG-IP 17.1.0 ~ 17.1.0.3.0.23.4-ENG -
F5BIG-IP Next SPK 1.6.0 ~ * -

II. Public POCs for CVE-2023-40534

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-40534

登录查看更多情报信息。

Same Patch Batch · F5 · 2023-10-10 · 15 CVEs total

CVE-2023-413739.9 CRITICALBIG-IP Configuration Utility vulnerability
CVE-2023-437468.7 HIGHBIG-IP Appliance mode external monitor vulnerability
CVE-2023-405378.1 HIGHMulti-blade VIPRION Configuration utility session cookie vulnerability
CVE-2023-436117.8 HIGHBIG-IP Edge Client for macOS vulnerability
CVE-2023-410857.5 HIGHBIG-IP IPSEC vulnerability
CVE-2023-405427.5 HIGHBIG-IP TCP Profile vulnerability
CVE-2023-452267.4 HIGHBIG-IP Next SPK SSH vulnerability
CVE-2023-54507.3 HIGHBIG-IP Edge Client for macOS vulnerability
CVE-2023-427687.2 HIGHBIG-IP iControl REST vulnerability
CVE-2023-434855.5 MEDIUMBIGIP and BIG-IQ TACACS+ audit log Vulnerability
CVE-2023-412535.5 MEDIUMBIG-IP DNS TSIG Key vulnerability
CVE-2023-452194.4 MEDIUMBIG-IP tmsh vulnerability
CVE-2023-394474.4 MEDIUMBIG-IP APM Guided Configuration vulnerability
CVE-2023-419644.3 MEDIUMBIG-IP and BIG-IQ Database Variable vulnerability

IV. Related Vulnerabilities

Same product: BIG-IP
Same vendor: F5
Same weakness: CWE-401

V. Comments for CVE-2023-40534

No comments yet

Leave a comment