Bug ID 1210053: The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Last Modified: Feb 23, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Opened: Dec 15, 2022

Severity: 3-Major

Symptoms

In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation: cred_stuffing_fail_open (default value is not to raise violation) Changing the internal parameter value does not trigger the violation.

Impact

Leaked Credential violation is not raised.

Conditions

- ASM is provisioned. - WAF Policy is attached to virtual server with Credential Stuffing enabled. - Internal Parameter cred_stuffing_fail_open is set to 0. - A server error (or timeout) occurred during leaked credential check.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips