There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.
Versions Affected: >= 6.0.0.
Not affected: < 6.0.0
Fixed Versions: 6.1.4.1, 6.0.4.1
Specially crafted βX-Forwarded-Hostβ headers in combination with certain βallowed hostβ formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
The fixed releases are available at the normal locations.
In the case a patch canβt be applied, the following monkey patch can be used in an initializer:
module ActionDispatch
class HostAuthorization
HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
private
def authorized?(request)
origin_host =
request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
forwarded_host =
request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
@permissions.allows?(origin_host) &&
(forwarded_host.blank? || @permissions.allows?(forwarded_host))
end
end
end
www.openwall.com/lists/oss-security/2021/12/14/5
access.redhat.com/security/cve/cve-2021-22942
github.com/rails/rails
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
nvd.nist.gov/vuln/detail/CVE-2021-22942
rubygems.org/gems/actionpack
security.netapp.com/advisory/ntap-20240202-0005
weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
www.debian.org/security/2023/dsa-5372