EIQ-2018-0016



ID

EIQ-2018-0016

(Former ref.: 25116)

CVE

-

Description

Nginx sends full referrer data

Date

-

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.7.0

Assessment

When navigating the application, and possibly when navigating to an external URL, the Nginx server includes the Referer header.

This could provide a potential attacker with the external IP address, or the internal system name of the application, creating a view of the potential attack surface.

Mitigation

Set the Referrer-Policy header value in Nginx to same-origin.
same-origin is preferable to no-referrer because it allows referrer values for local requests.

Example:

add_header 'Referrer-Policy' 'same-origin';

See also:

Affected versions

2.3.1 to 2.6.0 included.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.7.0