Bug 1930211 (CVE-2021-22881) - CVE-2021-22881 rubygem-actionpack: open redirect vulnerability may lead to confidentiality and integrity compromise
Summary: CVE-2021-22881 rubygem-actionpack: open redirect vulnerability may lead to co...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-22881
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1930212 1931318
Blocks: 1930213
TreeView+ depends on / blocked
 
Reported: 2021-02-18 14:10 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
29 users (show)

Fixed In Version: rubygem-actionpack 6.1.2.1, rubygem-actionpack 6.0.3.5
Doc Type: If docs needed, set a value
Doc Text:
The Host Authorization middleware in Action Pack suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
Clone Of:
Environment:
Last Closed: 2021-02-22 13:02:07 UTC


Attachments (Terms of Use)

Description Marian Rehak 2021-02-18 14:10:33 UTC
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

References:

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

Comment 1 Marian Rehak 2021-02-18 14:10:58 UTC
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1930212]

Comment 3 Yadnyawalk Tale 2021-02-22 06:52:02 UTC
Statement:

Red Hat Satellite does not make use of the config.hosts setting and is not affected by this CVE.

Comment 5 Yadnyawalk Tale 2021-02-22 11:49:49 UTC
Hackerone's report: https://hackerone.com/reports/1047447

Comment 8 Product Security DevOps Team 2021-02-22 13:02:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22881


Note You need to log in before you can comment on or make changes to this bug.