Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatcveRedhat.comRH:CVE-2016-6311
HistoryNov 03, 2019 - 4:20 p.m.

CVE-2016-6311

2019-11-0316:20:42
redhat.com
access.redhat.com
18
JSON

It was found that when issuing a GET request which results in a 302 redirect, and when the request header ‘Host’ field was not set, the response header field ‘Location’ contains the internal IP address of the server. An attacker could use this disclose information which they are not authorized to access.

Mitigation

You can add a filter in the JBoss CLI that sets the host header to the 'myvirtualhost.com' if the host header is not present. eg:

/subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host, value=myvirtualhost.com)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hostname:add(predicate="not exists(%{i,Host})")

Related

veracode 1
prion 1
cve 1
redhat 4
nessus 3
veracode
veracode
Information Disclosure
2019-05-02 06:38:40
prion
prion
Design/Logic Flaw
2017-08-22 18:29:00
cve
cve
CVE-2016-6311
2017-08-22 18:29:00
redhat
redhat
(RHSA-2017:3455) Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
2017-12-13 17:29:37
(RHSA-2017:3458) Important: eap7-jboss-ec2-eap security update
2017-12-13 18:11:21
(RHSA-2017:3454) Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
2017-12-13 17:28:55
nessus
nessus
RHEL 6 : JBoss EAP (RHSA-2017:3454)
2017-12-15 00:00:00
RHEL 7 : JBoss EAP (RHSA-2017:3455)
2017-12-15 00:00:00
RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:3458)
2017-12-14 00:00:00
JSON
Related for RH:CVE-2016-6311
veracode1prion1cve1redhat4nessus3