Last Modified: Dec 05, 2024
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2
Opened: Nov 27, 2023 Severity: 3-Major
The below endpoints that helps admin role users to create authentication tokens for the same or other role users, are unable to validate the username (either in the attribute or in the user link of the supplied payload) against the existence check. /mgmt/cm/system/authn/providers/tmos/token-generator /mgmt/shared/authz/tokens
Admin role user can create authentication token for any non-existing or disabled remote user, which is not expected to happen.
When admin role user is trying to create authentication token for same or other role users on behalf of using the following endpoints, with a non-existing username supplied. /mgmt/cm/system/authn/providers/tmos/token-generator /mgmt/shared/authz/tokens
None
None