Access control list limitations
When the application server is running multiple applications on the same IP address, same port and of the same protocol, the access control list (ACL) rules might not be applied reliably and there is a vulnerability.
For example, app1 and app2 are hosted on the same server, app.example.com. An ACL rule is set up to allow User A access to app1.app.example.com. If an attacker modifies the application parameters, such as the host header, before it reaches the EAA Client, then the EAA Client will not be able to detect it. This allows the attacker to access app2.app.example.com maliciously.
Note: The EAA Client does not perform termination, decryption, or deep-inspection of the application payload for tunnel-type client-access applications.