Bug 1995940 (CVE-2021-22942) - CVE-2021-22942 rubygem-actionpack: possible open redirect in the Host Authorization middleware
Summary: CVE-2021-22942 rubygem-actionpack: possible open redirect in the Host Authori...
Alias: CVE-2021-22942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1995941 1999085
Blocks: 1995943
TreeView+ depends on / blocked
Reported: 2021-08-20 09:05 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
33 users (show)

Fixed In Version: rubygem-actionpack,rubygem-actionpack
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-actionpack. Specially crafted “X-Forwarded-Host” headers, in combination with certain “allowed host” formats, can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed: 2021-08-30 17:57:23 UTC

Attachments (Terms of Use)

Description Marian Rehak 2021-08-20 09:05:47 UTC
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.



Comment 1 Marian Rehak 2021-08-20 09:06:05 UTC
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1995941]

Comment 3 Yadnyawalk Tale 2021-08-30 11:25:45 UTC

Earlier, when `config.hosts` has domain name with leading dot (.) some function sanitize this domain name with wrong regex which was leading to redirection. CVE-2021-22881 fixed this by introducing new regex with addition of some auth checks. However, if `config.hosts` has domain name with case sensitivity (for example, .REDHAT.com) redirection was still possible; which is fixed by CVE-2021-22942.

I do see `config.hosts` in development env of upstream foreman but domain name anyway doesn't starts with leading dot (.) - which is required. Additionally, the production env do not have `config.hosts` so this looks safe. Same goes for downstream Satellite. Don't see upstream Katello using any of this.

Comment 4 Yadnyawalk Tale 2021-08-30 11:35:18 UTC
CVSS explanation:
* AC:H - Assuming victim already have vulnerable configuration settings (i.e. config.hosts with case sensitivity)
* C:L and I:L - Information in the victim's browser associated with the vulnerable rails app can be read (and later modified) by the malicious attacker by directed it any destination the attacker wishes.

Comment 7 Product Security DevOps Team 2021-08-30 17:57:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.