Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Reference: https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1995941]
Upstream fix: 6.0: https://github.com/rails/rails/commit/9fe57c0fc5561088a2df42e4438992591e9d917e 6.1: https://github.com/rails/rails/commit/5e9973d6e020b98a5ec71578aa1837efcf4d7b7e
Analysis ========== Earlier, when `config.hosts` has domain name with leading dot (.) some function sanitize this domain name with wrong regex which was leading to redirection. CVE-2021-22881 fixed this by introducing new regex with addition of some auth checks. However, if `config.hosts` has domain name with case sensitivity (for example, .REDHAT.com) redirection was still possible; which is fixed by CVE-2021-22942. I do see `config.hosts` in development env of upstream foreman but domain name anyway doesn't starts with leading dot (.) - which is required. Additionally, the production env do not have `config.hosts` so this looks safe. Same goes for downstream Satellite. Don't see upstream Katello using any of this. https://github.com/theforeman/foreman/blob/develop/config/environments/development.rb#L63
CVSS explanation: * AC:H - Assuming victim already have vulnerable configuration settings (i.e. config.hosts with case sensitivity) * C:L and I:L - Information in the victim's browser associated with the vulnerable rails app can be read (and later modified) by the malicious attacker by directed it any destination the attacker wishes.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22942