CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H
AI Score
Confidence
High
EPSS
Percentile
39.6%
Security Advisory Description
On August 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
You can watch the August 2024 Quarterly Security Notification briefing by DevCentral in the following video:
High CVEs
Article (CVE) | CVSS score1 | Affected products | Affected versions2 | Fixes introduced in |
---|---|---|---|---|
K000140111: BIG-IP Next Central Manager vulnerability CVE-2024-39809 | 7.5 (CVSS v3.1) | |||
8.9 (CVSS v4.0) | BIG-IP Next Central Manager | 20.1.0 | 20.2.0 | |
K05710614: BIG-IP HSB vulnerability CVE-2024-39778 | 7.5 (CVSS v3.1) | |||
8.7 (CVSS v4.0) | BIG-IP (all modules) | 17.1.0 | ||
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1 | |||
16.1.5 | ||||
K000140108: NGINX Plus MQTT vulnerability CVE-2024-39792 | 7.5 (CVSS v3.1) | |||
8.7 (CVSS v4.0) | NGINX Plus | R30 - R32 | R32 P1 | |
R31 P3 | ||||
K000138833: BIG-IP TMM vulnerability CVE-2024-41727 | 7.5 (CVSS v3.1) | |||
8.7 (CVSS v4.0) | BIG-IP (all modules) | 16.1.0 - 16.1.4 | ||
15.1.0 - 15.1.10 | 16.1.5 |
1Starting with the August 2024 Quarterly Security Notification, F5 will provide the CVSS v4.0 base score in addition to the CVSS v3.1 score, for first-party security issues only. For more information about how F5 uses CVSS v4.0, refer to K000140363: Overview of CVSS v4.0 in F5 security advisories.
2F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Medium CVEs
Article (CVE) | CVSS score1 | Affected products | Affected versions2 | Fixes introduced in |
---|---|---|---|---|
K000138477: BIG-IP MPTCP vulnerability CVE-2024-41164 | 5.9 (CVSS v3.1) | |||
8.2 (CVSS v4.0) | BIG-IP Next SPK | 1.7.0 - 1.8.2 | 1.9.0 | |
BIG-IP Next CNF | 1.1.0 - 1.1.1 | 1.2.0 | ||
BIG-IP (all modules) | 17.1.0 | |||
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.9 | 17.1.1 | |||
16.1.5 | ||||
15.1.10 | ||||
K000139938: BIG-IP Next Central Manager vulnerability CVE-2024-37028 | 5.3 (CVSS v3.1) | |||
6.3 (CVSS v4.0) | BIG-IP Next Central Manager | 20.1.0 - 20.2.0 | 20.2.1 | |
K000140529: NGINX ngx_http_mp4_module vulnerability CVE-2024-7347 | 4.7 (CVSS v3.1) | |||
5.7 (CVSS v4.0) | NGINX Plus | R27 - R32 | R32 P1 | |
R31 P3 | ||||
NGINX Open Source | 1.5.13 - 1.26.1 | 1.27.1 | ||
1.26.2 | ||||
K10438187: BIG-IP iControl REST vulnerability CVE-2024-41723 | 4.3 (CVSS v3.1) | |||
5.3 (CVSS v4.0) | BIG-IP (all modules) | 17.1.0 | ||
16.1.0 - 16.1.4 | ||||
15.1.0 - 15.1.10 | 17.1.1 | |||
16.1.5 | ||||
K000140006: BIG-IP Next Central Manager vulnerability CVE-2024-41719 | 4.2 (CVSS v3.1) | |||
5.1 (CVSS v4.0) | BIG-IP Next Central Manager | 20.1.0 - 20.2.0 | 20.2.1 |
1Starting with the August 2024 Quarterly Security Notification, F5 will provide the CVSS v4.0 base score in addition to the CVSS v3.1 score, for first-party security issues only. For more information about how F5 uses CVSS v4.0, refer to K000140363: Overview of CVSS v4.0 in F5 security advisories.
2F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle.
Vendor | Product | Version | CPE |
---|---|---|---|
f5 | big-ip_next_central_manager | 20.1.0 | cpe:2.3:a:f5:big-ip_next_central_manager:20.1.0:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.1.1 | cpe:2.3:a:f5:big-ip_next_central_manager:20.1.1:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.2.0 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next_central_manager | 20.2.1 | cpe:2.3:a:f5:big-ip_next_central_manager:20.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.0 | cpe:2.3:a:f5:big-ip_next:1.1.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.1.1 | cpe:2.3:a:f5:big-ip_next:1.1.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.0 | cpe:2.3:a:f5:big-ip_next:1.2.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.2.1 | cpe:2.3:a:f5:big-ip_next:1.2.1:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.0 | cpe:2.3:a:f5:big-ip_next:1.3.0:*:*:*:*:*:*:* |
f5 | big-ip_next | 1.3.1 | cpe:2.3:a:f5:big-ip_next:1.3.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/SC:H/VI:H/SI:H/VA:H/SA:H
AI Score
Confidence
High
EPSS
Percentile
39.6%