Is RH-SSO vulnerable to Host Header Injection ?

Solution Verified - Updated -

Issue

  • Hostname modification in the Reset password link sent via email can lead to potential vulnerability. Is that true in RH-SSO ? How to possibly avoid it ?
  • How to mitigate potential Host header poisoning in RH-SSO ?

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Password reset / Email verification

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In