Bug 1995940 (CVE-2021-22942)
Summary: | CVE-2021-22942 rubygem-actionpack: possible open redirect in the Host Authorization middleware | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, ehelms, gmccullo, gtanzill, jaruga, jfrey, jhardy, jsherril, lzap, mhulan, mmccune, mo, myarboro, nmoumoul, obarenbo, orabin, pcreech, pvalena, rchan, rjerrido, roliveri, ruby-packagers-sig, simaishi, smallamp, sokeeffe, sseago, strzibny, vondruch |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-actionpack 6.1.4.1,rubygem-actionpack 6.0.4.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in rubygem-actionpack. Specially crafted “X-Forwarded-Host” headers, in combination with certain “allowed host” formats, can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-30 17:57:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1995941, 1999085 | ||
Bug Blocks: | 1995943 |
Description
Marian Rehak
2021-08-20 09:05:47 UTC
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1995941] Upstream fix: 6.0: https://github.com/rails/rails/commit/9fe57c0fc5561088a2df42e4438992591e9d917e 6.1: https://github.com/rails/rails/commit/5e9973d6e020b98a5ec71578aa1837efcf4d7b7e Analysis ========== Earlier, when `config.hosts` has domain name with leading dot (.) some function sanitize this domain name with wrong regex which was leading to redirection. CVE-2021-22881 fixed this by introducing new regex with addition of some auth checks. However, if `config.hosts` has domain name with case sensitivity (for example, .REDHAT.com) redirection was still possible; which is fixed by CVE-2021-22942. I do see `config.hosts` in development env of upstream foreman but domain name anyway doesn't starts with leading dot (.) - which is required. Additionally, the production env do not have `config.hosts` so this looks safe. Same goes for downstream Satellite. Don't see upstream Katello using any of this. https://github.com/theforeman/foreman/blob/develop/config/environments/development.rb#L63 CVSS explanation: * AC:H - Assuming victim already have vulnerable configuration settings (i.e. config.hosts with case sensitivity) * C:L and I:L - Information in the victim's browser associated with the vulnerable rails app can be read (and later modified) by the malicious attacker by directed it any destination the attacker wishes. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22942 |