Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Reference: https://www.openwall.com/lists/oss-security/2021/12/14/5
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 2034268]
Changelog: https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021 Upstream patch: https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44528