Red Hat JBoss Enterprise Application Platform is vulnerable to information disclosure. GET request which results in a 302 redirect, and when the request header ‘Host’ field was not set, the response header field ‘Location’ contains the internal IP address of the server. A remote attacker could use this to access unauthorized data.
access.redhat.com/documentation/en/jboss-enterprise-application-platform/
access.redhat.com/errata/RHSA-2017:3454
access.redhat.com/errata/RHSA-2017:3455
access.redhat.com/errata/RHSA-2017:3455
access.redhat.com/errata/RHSA-2017:3456
access.redhat.com/errata/RHSA-2017:3456
access.redhat.com/errata/RHSA-2017:3458
access.redhat.com/errata/RHSA-2017:3458
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1362735
bugzilla.redhat.com/show_bug.cgi?id=1362735
issues.jboss.org/browse/JBEAP-5322