Last Modified: Nov 07, 2022
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5
12.0.0, 11.6.0 HF6
Opened: Mar 20, 2015 Severity: 3-Major
When a session variable set by AD/LDAP module is HEX-encoded, it is possible to decode it with the -decode option for the mcget command. The option works correctly when the session variable contains multiple values (such as | 0xABCD | 0xDCBA |), but it does not work properly with a single encoded value (such as0xABCD).
As a result, the access policy does not follow the expected branch rule.
The problem occurs under these conditions: the -decode option is specified when retrieving a HEX-encoded variable, and the session variable contains only one value/
While decoding a single value, the mcget command produces a result like EncodedValueDecodedValue. For example, for encoded string 0x616161, the result of the operation will be 616161aaa. It is possible to write a Tcl expression in the Variable Assign agent that truncates the left half of the string and leaves aaa, the decoded value only.
The -decode option works as expected for single-value and multi-value session variables.