When a BIG-IP object is created or listed through the REST interface, the protected fields are obfuscated in the REST response, not protected via a SecureVault cryptogram as TMSH does. One example of protected fields is the GTM monitor password. (CVE-2020-5943)
Impact
An obfuscated password is not as secure as an encrypted password. An authenticated, malicious representational state transfer (REST) API user may be able to de-obfuscate the protected fields in REST responses to view the plaintext password, resulting in sensitive information disclosure.