You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
CVE-2021-22881 - Medium Severity Vulnerability
Vulnerable Library - actionpack-6.0.2.2.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem
Dependency Hierarchy:
Found in HEAD commit: 236664cbc5769870ab2bcbeffd6a5aab5b9ad230
Found in base branch: gh-pages
Vulnerability Details
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted
Host
headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially craftedHost
header can be used to redirect to a malicious website.Publish Date: 2021-02-11
URL: CVE-2021-22881
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Release Date: 2021-02-11
Fix Resolution: 6.0.3.5,6.1.2.1
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: