Bug ID 799293: Cookie is masked when not configured to be masked

Last Modified: Nov 23, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 16.0.0, 16.0.0.1, 16.0.1

Opened: Jun 27, 2019
Severity: 4-Minor

Symptoms

Cookie is assumed to be sensitive data in attack-signature violation details, if another cookie in the same request is configured to be masked.

Impact

The attack-signature cookie is masked in attack-signature violation details.

Conditions

-- Two cookies are present in the same request. -- One of the cookies does not raise attack-signature violation and is configured to be masked. -- The other cookie raises an attack-signature violation and is not defined to be masked.

Workaround

None.

Fix Information

None

Behavior Change