Bug 1995940 (CVE-2021-22942)

Summary: CVE-2021-22942 rubygem-actionpack: possible open redirect in the Host Authorization middleware
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, ehelms, gmccullo, gtanzill, jaruga, jfrey, jhardy, jsherril, lzap, mhulan, mmccune, mo, myarboro, nmoumoul, obarenbo, orabin, pcreech, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: rubygem-actionpack,rubygem-actionpack Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Specially crafted “X-Forwarded-Host” headers, in combination with certain “allowed host” formats, can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-30 17:57:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1995941, 1999085    
Bug Blocks: 1995943    

Description Marian Rehak 2021-08-20 09:05:47 UTC
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.



Comment 1 Marian Rehak 2021-08-20 09:06:05 UTC
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1995941]

Comment 3 Yadnyawalk Tale 2021-08-30 11:25:45 UTC

Earlier, when `config.hosts` has domain name with leading dot (.) some function sanitize this domain name with wrong regex which was leading to redirection. CVE-2021-22881 fixed this by introducing new regex with addition of some auth checks. However, if `config.hosts` has domain name with case sensitivity (for example, .REDHAT.com) redirection was still possible; which is fixed by CVE-2021-22942.

I do see `config.hosts` in development env of upstream foreman but domain name anyway doesn't starts with leading dot (.) - which is required. Additionally, the production env do not have `config.hosts` so this looks safe. Same goes for downstream Satellite. Don't see upstream Katello using any of this.

Comment 4 Yadnyawalk Tale 2021-08-30 11:35:18 UTC
CVSS explanation:
* AC:H - Assuming victim already have vulnerable configuration settings (i.e. config.hosts with case sensitivity)
* C:L and I:L - Information in the victim's browser associated with the vulnerable rails app can be read (and later modified) by the malicious attacker by directed it any destination the attacker wishes.

Comment 7 Product Security DevOps Team 2021-08-30 17:57:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):