{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40534", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2023-10-05T19:17:25.722Z", "datePublished": "2023-10-10T12:32:37.830Z", "dateUpdated": "2024-09-19T13:48:43.571Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["All Modules"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "17.1.0.3.0.23.4-ENG", "status": "affected", "version": "17.1.0", "versionType": "semver"}, {"lessThan": "16.1.4.1.0.13.5-ENG", "status": "affected", "version": "16.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "15.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "14.1.0", "versionType": "semver"}, {"lessThan": "*", "status": "unaffected", "version": "13.1.0", "versionType": "semver"}]}, {"defaultStatus": "unknown", "product": "BIG-IP Next SPK", "vendor": "F5", "versions": [{"lessThan": "*", "status": "affected", "version": "1.6.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "F5"}], "datePublic": "2023-10-18T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.</span>&nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2023-10-10T12:32:37.830Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000133467"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP HTTP/2 vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:50.458Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000133467"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T13:48:25.662031Z", "id": "CVE-2023-40534", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:48:43.571Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://my.f5.com/manage/s/article/K000133467", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:38:50.458Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40534", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T13:48:25.662031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:48:33.667Z"}}], "cna": {"title": "BIG-IP HTTP/2 vulnerability", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "F5"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "modules": ["All Modules"], "product": "BIG-IP", "versions": [{"status": "affected", "version": "17.1.0", "lessThan": "17.1.0.3.0.23.4-ENG", "versionType": "semver"}, {"status": "affected", "version": "16.1.0", "lessThan": "16.1.4.1.0.13.5-ENG", "versionType": "semver"}, {"status": "unaffected", "version": "15.1.0", "lessThan": "*", "versionType": "semver"}, {"status": "unaffected", "version": "14.1.0", "lessThan": "*", "versionType": "semver"}, {"status": "unaffected", "version": "13.1.0", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "unknown"}, {"vendor": "F5", "product": "BIG-IP Next SPK", "versions": [{"status": "affected", "version": "1.6.0", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "unknown"}], "datePublic": "2023-10-18T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000133467", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.</span>&nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2023-10-10T12:32:37.830Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40534", "state": "PUBLISHED", "dateUpdated": "2024-09-19T13:48:43.571Z", "dateReserved": "2023-10-05T19:17:25.722Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2023-10-10T12:32:37.830Z", "assignerShortName": "f5"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "92F10A0D-A487-4B2A-ADF7-4AB3C5A98001", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "2ADC24ED-14A3-4F96-A6DA-5A2FDC60A71B", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_firewall_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1A1CC91B-6920-4AF0-9EDD-DD3189E78F4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*", "matchCriteriaId": "E42EBA0A-EC53-4885-9AFD-AFF83224214C", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1769D69A-CB59-46B1-89B3-FB97DC6DEB9B", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*", "matchCriteriaId": "5E49638F-30AA-4112-8F6F-13F013F9E72B", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_analytics:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "59203EBF-C52A-45A1-B8DF-00E17E3EFB51", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "3823874E-B0C1-4F7B-B1E7-1423C371E79C", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_acceleration_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C698C1C-A3DD-46E2-B05A-12F2604E7F85", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "C175FBF7-CF8D-48C2-B604-AC766AE3ECAD", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_security_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "87670A74-34FE-45DF-A725-25B804C845B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:*:*:*:*:*:*:*:*", "matchCriteriaId": "C509C00E-2C92-4905-BD2D-22B5BDDDE4EE", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_application_visibility_and_reporting:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "67DB21AE-DF53-442D-B492-C4ED9A20B105", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*", "matchCriteriaId": "FAD1751B-9818-474E-B970-719CE1AEA782", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_carrier-grade_nat:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7BC1D037-74D2-4F92-89AD-C90F6CBF440B", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A519F4C-D469-47A0-9F61-2EE33976177D", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B235A78-649B-46C5-B24B-AB485A884654", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "69DE4021-B15C-4310-8898-E4EC3EC0DA60", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_domain_name_system:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "84D00768-E71B-4FF7-A7BF-F2C8CFBC900D", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A779434-C082-486E-8F65-587CE0BD1828", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_edge_gateway:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3F28D083-19BE-4584-A61A-85DD3CDC66BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "67CAB7BF-AC42-4957-9F8F-59CACA30D0A3", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_fraud_protection_service:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "ABBD10E8-6054-408F-9687-B9BF6375CA09", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "11EA68F6-028C-4A63-AFB6-0B6F36F5EB8C", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "83794B04-87E2-4CA9-81F5-BB820D0F5395", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "16657185-FDAA-4DF4-A2A1-1B5BAF8697FB", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_link_controller:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A6E7035-3299-474F-8F67-945EA9A059D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "04ABC7AA-1D2D-4954-863B-A417794B1F5B", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "56FB92F7-FF1E-425D-A5AB-9D9FB0BB9450", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "5190BFD8-0F6C-4CAF-9589-7CD8A589CDC3", "versionEndIncluding": "1.8.2", "versionStartIncluding": "1.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "957276C7-DA88-44F1-AB18-AA39DC1BF9B4", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_policy_enforcement_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "667EB77B-DA13-4BA4-9371-EE3F3A109F38", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6D0A641-7EF3-4F9E-9503-4A202E04102A", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_ssl_orchestrator:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C446827A-1F71-4FAD-9422-580642D26AD1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*", "matchCriteriaId": "095E5580-CF33-45EB-90DB-1EB4F0C0DFCA", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_webaccelerator:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3D1B2000-C3FE-4B4C-885A-A5076EB164E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_websafe:*:*:*:*:*:*:*:*", "matchCriteriaId": "D097C6A6-5C8D-4275-B0CD-3947E11AA5B1", "versionEndExcluding": "16.1.4.1", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_websafe:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8AB23AE6-245E-43D6-B832-933F8259F937", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When a client-side HTTP/2 profile and the HTTP MRF Router option are enabled for a virtual server, and an iRule using the HTTP_REQUEST event or Local Traffic Policy are associated with the virtual server, undisclosed requests can cause TMM to terminate.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "Cuando un perfil HTTP/2 del lado del cliente y la opci\u00f3n HTTP MRF Router est\u00e1n habilitadas para un servidor virtual, y una iRule que utiliza el evento HTTP_REQUEST o la Pol\u00edtica de Tr\u00e1fico Local est\u00e1 asociada con el servidor virtual, las solicitudes no divulgadas pueden provocar la finalizaci\u00f3n de TMM. Nota: Las versiones de software que han llegado al End of Technical Support (EoTS) no se eval\u00faan."}], "id": "CVE-2023-40534", "lastModified": "2024-11-21T08:19:40.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2023-10-10T13:15:20.730", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000133467"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000133467"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}

{}