CVE-2024-23805

Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. For the Application Visibility and Reporting module, this may occur when the HTTP Analytics profile with URLs enabled under Collected Entitiesis configured on a virtual server and the DB variables avr.IncludeServerInURIor avr.CollectOnlyHostnameFromURIare enabled. For BIG-IP Advanced WAF and ASM, this may occur when either a DoS or Bot Defense profile is configured on a virtual server and the DB variables avr.IncludeServerInURIor avr.CollectOnlyHostnameFromURIare enabled.

Note: The DB variables avr.IncludeServerInURIand avr.CollectOnlyHostnameFromURIare not enabled by default. For more information about the HTTP Analytics profile and the Collect URLssetting, refer to  K30875743: Create a new Analytics profile and attach it to your virtual servers https://my.f5.com/manage/s/article/K30875743 .



 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
f5CNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
f5big-ip_advanced_web_application_firewall
15.1.0 ≤
𝑥
< 15.1.10
f5big-ip_advanced_web_application_firewall
16.1.0 ≤
𝑥
< 16.1.4
f5big-ip_advanced_web_application_firewall
17.1.0
f5big-ip_application_security_manager
15.1.0 ≤
𝑥
< 15.1.10
f5big-ip_application_security_manager
16.1.0 ≤
𝑥
< 16.1.4
f5big-ip_application_security_manager
17.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://my.f5.com/manage/s/article/K000137334
https://my.f5.com/manage/s/article/K000137334