Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1
Fixed In:
15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5
Opened: Nov 07, 2018 Severity: 3-Major
CSRF situation on the BIG-IP ASM GUI that might potentially lead to resource exhaustion on the device for the moment it is being run.
Once multiple requests are sent to the target GUI, it is possible to see httpd process spiking even in core 0 (VMWare).
The following URL accepts a wildcard in the parameter id, making it a heavy URL: https://BIG-IP/dms/policy/pl_negsig.php?id=*
None.
If the query string parameter has a string value the query is not executed.