logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-22942 actionpack

Package

Manager: gem
Name: actionpack
Vulnerable Version: >=6.0.0 <6.0.4.1 || >=6.1.0 <6.1.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00545 pctl0.66816

Details

Open Redirect in ActionPack # Overview There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942. Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1 # Impact Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this: ```ruby config.hosts << '.EXAMPLE.com' ``` When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website. This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity. # Releases The fixed releases are available at the normal locations. # Workarounds In the case a patch can’t be applied, the following monkey patch can be used in an initializer: ```ruby module ActionDispatch class HostAuthorization HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/ VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/ private def authorized?(request) origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || "" forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || "" @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host)) end end end ```

Metadata

Created: 2021-08-26T20:36:51Z
Modified: 2024-02-02T16:47:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-2rqw-v265-jf8c
Finding: F100
Auto approve: 1