When receiving a unauthenticated client request with a maliciously crafted URI, a BIG-IP Advanced WAF or ASM virtual server configured with a DoS profile with Proactive Bot Defense (versions prior to 14.1.0), or a Bot Defense profile (versions 14.1.0 and later), may subject clients and web servers to Open Redirection attacks. (CVE-2021-22984)
Impact
When a virtual server that has Bot Defense enabled processes the type of request described in this security advisory, the Bot Defense feature incorrectly generates a HTTP 307 status code (Temporary Redirect). As a result, the client experiences an unexpected HTTP redirection, which can potentially be used for a phishing scam or stealing user credentials. In addition, the site in the client request URI unexpectedly receives the redirected request.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip asm | eq | 11.6.0 | |
big-ip asm | eq | 11.6.1 | |
big-ip asm | eq | 11.6.2 | |
big-ip asm | eq | 11.6.3 | |
big-ip asm | eq | 11.6.4 | |
big-ip asm | eq | 11.6.5 | |
big-ip asm | eq | 12.1.0 | |
big-ip asm | eq | 12.1.1 | |
big-ip asm | eq | 12.1.2 | |
big-ip asm | eq | 12.1.3 |