Bug ID 1117305: The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2

Fixed In:
17.1.1, 16.1.4, 15.1.9

Opened: Jun 20, 2022

Severity: 3-Major

Symptoms

The /api returns 401 when incorrect Basic Authorization credentials are supplied. The /api returns 404 when correct Basic Authorization credentials are supplied.

Impact

There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Conditions

Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Workaround

None

Fix Information

The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips