Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Created rubygem-actionpack tracking bugs for this issue:
Affects: fedora-all [bug 2034268]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):