Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: Mar 16, 2017 Severity: 3-Major
Token validate responses create session variables without any sub-prefix, which may result in collisions with other session variables.
May collide with other session variables. If they collide with token introspect responses, one or the other will be overwritten, depending on the order in which the variables are executed.
Executing policy containing 'introspect' session variables such as 'authresult' and 'errMsg'.
None.
Now the APM OAuth Token validate response creates session variables with the prefix 'introspect' for introspect response specific session variables. This eliminates potential conflict with overwriting previous session variables. Upgrade Note: If you have existing access policy rules based on introspect response session variables, you must update the rule to use the new variable names.