What is CVE-2021-22881?

CVE-2021-22881 is an open redirect vulnerability in the Host Authorization middleware in Ruby on Rails before version 6.1.2.1 and 6.0.3.5.

What is the severity of CVE-2021-22881?

CVE-2021-22881 has a severity rating of 6.1, which is considered medium.

Which software versions are affected by CVE-2021-22881?

Ruby on Rails versions before 6.1.2.1 and 6.0.3.5 are affected by CVE-2021-22881.

How does CVE-2021-22881 work?

CVE-2021-22881 can be exploited by sending specially crafted `Host` headers to the vulnerable application, which can lead to an open redirect and redirect users to a malicious website.

Is there a fix available for CVE-2021-22881?

Yes, upgrading to Ruby on Rails version 6.1.2.1 or 6.0.3.5 will fix the vulnerability.

Vulnerability/
CVE-2021-22881

medium

6.1

CWE

601

11/2/2021

4/1/2022

CVE-2021-22881

First published: Thu Feb 11 2021(Updated: )

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

Credit: support@hackerone.com

Affected Software	Affected Version	How to fix
Rubyonrails Rails	>=6.0.0<6.0.3.5
Rubyonrails Rails	>=6.1.0<6.1.2.1
Fedoraproject Fedora	=33

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-22881?
CVE-2021-22881 is an open redirect vulnerability in the Host Authorization middleware in Ruby on Rails before version 6.1.2.1 and 6.0.3.5.
What is the severity of CVE-2021-22881?
CVE-2021-22881 has a severity rating of 6.1, which is considered medium.
Which software versions are affected by CVE-2021-22881?
Ruby on Rails versions before 6.1.2.1 and 6.0.3.5 are affected by CVE-2021-22881.
How does CVE-2021-22881 work?
CVE-2021-22881 can be exploited by sending specially crafted `Host` headers to the vulnerable application, which can lead to an open redirect and redirect users to a malicious website.
Is there a fix available for CVE-2021-22881?
Yes, upgrading to Ruby on Rails version 6.1.2.1 or 6.0.3.5 will fix the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.