Lucene search

RubySecRUBY:ACTIONPACK-2021-22903

HistoryMay 04, 2021 - 9:00 p.m.

Possible Open Redirect Vulnerability in Action Pack

2021-05-0421:00:00

RubySec

rubysec.com

action pack

open redirect vulnerability

cve-2021-22903

host headers

authorization middleware

regular expressions

workaround

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

61.0%

JSON

There is a possible Open Redirect Vulnerability in Action Pack. This
vulnerability has been assigned the CVE identifier CVE-2021-22903.

Versions Affected: >= v6.1.0.rc2
Not affected: < v6.1.0.rc2
Fixed Versions: 6.1.3.2

Impact

This is similar to CVE-2021-22881: Specially crafted Host headers in
combination with certain “allowed host” formats can cause the Host
Authorization middleware in Action Pack to redirect users to a malicious
website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading
dot are converted to regular expressions without proper escaping. This causes,
for example, config.hosts << “sub.example.com” to permit a request with a Host
header value of sub-example.com.

Workarounds

The following monkey patch put in an initializer can be used as a workaround:

class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end