The BIG-IP APM system logs the client-session-id when a per-session policy is attached to the virtual server with debug logging enabled. (CVE-2019-19150)
Impact
The BIG-IP APM system logs the client-session-id in the log files and is available to authenticated administrators of the system.