Is RH-SSO vulnerable to Host Header Injection ?

Solution Verified - Updated -

Issue

  • Hostname modification in the Reset password link sent via email can lead to potential vulnerability. Is that true in RH-SSO ? How to possibly avoid it ?
  • How to mitigate potential Host header poisoning in RH-SSO ?

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Password reset / Email verification

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content