Bug 1930211 (CVE-2021-22881) - CVE-2021-22881 rubygem-actionpack: open redirect vulnerability may lead to confidentiality and integrity compromise
Summary: CVE-2021-22881 rubygem-actionpack: open redirect vulnerability may lead to co...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-22881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1930212 1931318
Blocks: 1930213
TreeView+ depends on / blocked
 
Reported: 2021-02-18 14:10 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
29 users (show)

Fixed In Version: rubygem-actionpack 6.1.2.1, rubygem-actionpack 6.0.3.5
Doc Type: If docs needed, set a value
Doc Text:
The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
Clone Of:
Environment:
Last Closed: 2021-02-22 13:02:07 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-02-18 14:10:33 UTC 
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

References:

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Comment 1 Marian Rehak 2021-02-18 14:10:58 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1930212]
Comment 3 Yadnyawalk Tale 2021-02-22 06:52:02 UTC 
Statement:

Red Hat Satellite does not make use of the config.hosts setting and is not affected by this CVE.
Comment 5 Yadnyawalk Tale 2021-02-22 11:49:49 UTC 
Hackerone's report: https://hackerone.com/reports/1047447
Comment 6 Yadnyawalk Tale 2021-02-22 11:51:47 UTC 
Upstream patches: 

6-1-stable: https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444
6-0-stable: https://github.com/rails/rails/commit/e33092740b3cc05f5abee197a5982eac31947e92
Comment 7 Yadnyawalk Tale 2021-02-22 11:51:54 UTC 
External References:

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Comment 8 Product Security DevOps Team 2021-02-22 13:02:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22881
Note You need to log in before you can comment on or make changes to this bug.