Last Modified: Oct 16, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0, 11.6.2
Opened: Nov 21, 2015 Severity: 3-Major
Client initiated form based SSO fails when the username and password are not replaced correctly in post request. The reason for this is that client initiated form based SSO and browser urlencode special character in username/password differently. and the case sensitive comparison fails to find match between both these urlencoded values. So sso module adds the username password to the token again. This results in password attribute/value pair appears twice with both the f5-sso-token and the real password and so it fails
SSO fails with password attribute/value pair appears twice with both the f5-sso-token and the real password in the token and so it fails
When the password contains special charaters like [ or ]
No workaround
Not fixed yet.