Last Modified: Jul 24, 2024
Affected Product(s):
BIG-IP APM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3
Fixed In:
16.1.5
Opened: Sep 13, 2023 Severity: 4-Minor
As per RFC 7519, the expected value “exp” in the JWT token is a numerical value. JSON itself does not have a native type for integers, so all numerical values are represented as either numbers (without quotes) or strings (with quotes). In our case, we throw an exception if it is not a number to consider the string value. We also have an additional check to ensure it is a valid type.
Support-introspection cannot be enabled.
The issue occurs only when support-introspection is enabled.
Disable support-introspection.
None