Someone claiming "User Enumeration Flaw" in BIG-IQ, pretty sure its intended behavior

Question

Recently came across this post it's kind of hard to understand, but I'm almost sure that this is the intended behavior of the REST API considering you have to log in to access the URL. I think it's kind of silly to expose the user's password hash but this really shouldn't be an issue if the hash algorithm is strong enough, not to mention the fact that only legitimate users can access this part of the API. I was wondering if I can get some confirmation, or see what you guys think about this.

max_q_factor · Answer

I think it might be best to drop an e-mail to technical support, or security-reporting@f5.com to get an official response based on SOL4602: Overview of the F5 security vulnerability response policy

0_168831 · Answer

I don't have an official support contract with F5, I'm merely doing security research, do you think they would still respond?

max_q_factor · Answer

Yes, security-reporting@f5.com is specifically setup to interact with people who are not F5 customers.

0_168831 · Answer

Awesome, thank you!

Forum Discussion

Someone claiming "User Enumeration Flaw" in BIG-IQ, pretty sure its intended behavior

4 Replies

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Base64 decoding issue (JSON request)

F5 i-series Guests to r-series tenants migration

Block specific URL's in APM

Sizing calculation storage

Upgrading vCMP guest

Related Content

Enumerate All Modules

BIG-IP & Ansible configuration of "External Users"

user root with role admin doesn't have access to "ihealth-request"

With Datasafe, what key is used in encrypting the user credentials "obfuscating user credentials"?

"General database error retrieving information" when accessing System> Users> User list in GUI

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS