Last Modified: May 29, 2024
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
16.0.1, 16.0.0, 15.1.1, 15.1.0, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.5
Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
Opened: Jul 15, 2020 Severity: 2-Critical
A valid request that should be passed to the backend server is blocked.
A request is blocked that should not be.
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled. -- The cookie header that contain the valid cookie value is encoded to base64.
Disable 'Base64 Decoding' for the desired cookie.
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.