-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2021-22903.yml
51 lines (46 loc) · 1.45 KB
/
CVE-2021-22903.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
---
gem: actionpack
framework: rails
cve: 2021-22903
ghsa: 5hq2-xf89-9jxq
url: https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
title: Possible Open Redirect Vulnerability in Action Pack
date: 2021-05-05
description: |
There is a possible Open Redirect Vulnerability in Action Pack. This
vulnerability has been assigned the CVE identifier CVE-2021-22903.
Versions Affected: >= v6.1.0.rc2
Not affected: < v6.1.0.rc2
Fixed Versions: 6.1.3.2
Impact
------
This is similar to CVE-2021-22881: Specially crafted Host headers in
combination with certain "allowed host" formats can cause the Host
Authorization middleware in Action Pack to redirect users to a malicious
website.
Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading
dot are converted to regular expressions without proper escaping. This causes,
for example, config.hosts << "sub.example.com" to permit a request with a Host
header value of sub-example.com.
Workarounds
-----------
The following monkey patch put in an initializer can be used as a workaround:
```ruby
class ActionDispatch::HostAuthorization::Permissions
def sanitize_string(host)
if host.start_with?(".")
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
else
/\A#{Regexp.escape host}\z/i
end
end
end
```
cvss_v3: 6.1
unaffected_versions:
- "< 6.1.0.rc2"
patched_versions:
- ">= 6.1.3.2"
related:
cve:
- 2021-22881