Security Advisory Description
When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user’s role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST, the BIG-IP non-admin user can still access the iControl REST admin resource. (CVE-2023-42768)
Impact
A non-admin user can access resources for which the account does not have permission. There is no data plane exposure; this is a control plane issue.