Bug 1930211 (CVE-2021-22881)

Summary: CVE-2021-22881 rubygem-actionpack: open redirect vulnerability may lead to confidentiality and integrity compromise
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, gmccullo, gtanzill, hhudgeon, jaruga, jfrey, jhardy, lzap, mmccune, mo, nmoumoul, obarenbo, pcreech, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 6.1.2.1, rubygem-actionpack 6.0.3.5 Doc Type: If docs needed, set a value
Doc Text:
The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-22 13:02:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1930212, 1931318    
Bug Blocks: 1930213    

Description Marian Rehak 2021-02-18 14:10:33 UTC 
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

References:

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Comment 1 Marian Rehak 2021-02-18 14:10:58 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1930212]
Comment 3 Yadnyawalk Tale 2021-02-22 06:52:02 UTC 
Statement:

Red Hat Satellite does not make use of the config.hosts setting and is not affected by this CVE.
Comment 5 Yadnyawalk Tale 2021-02-22 11:49:49 UTC 
Hackerone's report: https://hackerone.com/reports/1047447
Comment 6 Yadnyawalk Tale 2021-02-22 11:51:47 UTC 
Upstream patches: 

6-1-stable: https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
6-0-stable: https://github.com/rails/rails/commit/e33092740b3cc05f5abee197a5982eac31947e92
Comment 7 Yadnyawalk Tale 2021-02-22 11:51:54 UTC 
External References:

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Comment 8 Product Security DevOps Team 2021-02-22 13:02:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22881