Lucene search

K
redhatcveRedhat.comRH:CVE-2016-6311
HistoryNov 03, 2019 - 4:20 p.m.

CVE-2016-6311

2019-11-0316:20:42
redhat.com
access.redhat.com
20

0.005 Low

EPSS

Percentile

76.4%

It was found that when issuing a GET request which results in a 302 redirect, and when the request header ‘Host’ field was not set, the response header field ‘Location’ contains the internal IP address of the server. An attacker could use this disclose information which they are not authorized to access.

Mitigation

You can add a filter in the JBoss CLI that sets the host header to the 'myvirtualhost.com' if the host header is not present. eg:

/subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host, value=myvirtualhost.com)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hostname:add(predicate="not exists(%{i,Host})")

0.005 Low

EPSS

Percentile

76.4%