Bug ID 1210053: The cred_stuffing_fail_open Internal Parameter does not cause Leaked Credential violation in case of expiration or error

Last Modified: Dec 22, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Opened: Dec 15, 2022
Severity: 4-Minor

Symptoms

In case of Leaked Credential server error, there is an internal parameter to raise Leaked Credentials Violation: cred_stuffing_fail_open (default value is not to raise violation) Changing the internal parameter value does not trigger the violation.

Impact

Leaked Credential violation is not raised.

Conditions

- ASM is provisioned. - WAF Policy is attached to virtual server with Credential Stuffing enabled. - Internal Parameter cred_stuffing_fail_open is set to 0. - A server error (or timeout) occurred during leaked credential check.

Workaround

None

Fix Information

None

Behavior Change