First published: Fri Aug 20 2021(Updated: )
# Overview There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942. Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1 # Impact Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this: ```ruby config.hosts << '.EXAMPLE.com' ``` When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website. This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity. # Releases The fixed releases are available at the normal locations. # Workarounds In the case a patch can’t be applied, the following monkey patch can be used in an initializer: ```ruby module ActionDispatch class HostAuthorization HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/ VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/ private def authorized?(request) origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || "" forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || "" @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host)) end end end ```
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/rails | <=2:6.1.4+dfsg-4<=2:6.0.3.7+dfsg-2 | |
debian/rails | 2:5.2.2.1+dfsg-1+deb10u3 2:5.2.2.1+dfsg-1+deb10u5 2:6.0.3.7+dfsg-2+deb11u2 2:6.1.7.3+dfsg-1 2:6.1.7.3+dfsg-2 | |
Rubyonrails Rails | >=6.0.0<6.0.4.1 | |
Rubyonrails Rails | >=6.1.0<6.1.4.1 | |
rubygems/actionpack | >=6.1.0<=6.1.4 | 6.1.4.1 |
rubygems/actionpack | >=6.0.0<=6.0.4 | 6.0.4.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22942 is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0.
CVE-2021-22942 could allow attackers to redirect users to a malicious website.
CVE-2021-22942 has a severity rating of 6.1 (high).
There is no available fix for CVE-2021-22942 at the moment. It is recommended to monitor the official security sources for any updates or patches.
You can find more information about CVE-2021-22942 at the following references: [link1](https://security-tracker.debian.org/tracker/CVE-2021-22942), [link2](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942), [link3](https://www.openwall.com/lists/oss-security/2021/08/20/1)