Bug ID 923821: Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Last Modified: Apr 29, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1

Opened: Jul 03, 2020

Severity: 2-Critical

Symptoms

When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Impact

Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Conditions

1) Mitigated action is set to CSI followed by captcha for credential stuffing attack. 2) Credential stuffing attack occurs. 3) CSI challenge is success.

Workaround

None

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips