Last Modified: Aug 05, 2020
Affected Product:
See more info
BIG-IP LTM
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3
Fixed In:
16.0.0, 15.0.1.4, 13.1.3.4, 12.1.5.2
Opened: Dec 06, 2019
Severity: 3-Major
Related AskF5 Article:
K27551003
It is possible to have an absolute URI with an authority different from that in the Host header. The HTTP profile by default does not verify that these are the same.
HTTP requests with mismatched authority and Host headers are forwarded to back-end servers.
HTTP profile is enabled. A request contains an absolute URI with an authority different from that in the Host header.
None.
The HTTP RFC compliance option now rejects requests with an absolute URI that contains an authority different than that in the Host header. HTTP PSM's "invalid host" option now checks that the authorities match between the URI and Host header.