Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4
Fixed In:
14.0.0, 13.1.4.1
Opened: Sep 27, 2017 Severity: 4-Minor
1) The slash (/) is double escaped (\\/). The slash is common in URLs. 2) Unicode escaped characters (\uXXXX) are not correctly un-escaped into UTF-8 characters, ends up unrecognizable.
APM applications who read JSON node session variables may not get the correct values.
Occurs in 13.1 and earlier releases when OAuth servers response in JSON, such as the OIDC User Info.
1) For double escaped slash, workaround is like, session.oauth.client.last.UserInfo.picture = return [string map {{\\/} /} [ mcget {session.oauth.client.last.UserInfo.picture} ]] 2) For incorrect UTF-8 characters, there is no workaround.
Unicode escaped characters are now correctly handled.