CVE-2023-22797
First published: Thu Feb 09 2023(Updated: )
An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Actionpack Project Actionpack | >=7.0.0<7.0.4.1 | |
| Rubyonrails Rails | >=7.0.0<7.0.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-22797?
CVE-2023-22797 is an open redirect vulnerability fixed in Rails 7.0.4.1.
Which versions of Rails are affected by CVE-2023-22797?
Versions 7.0.0 to 7.0.4.1 of Rails are affected by CVE-2023-22797.
What is the severity of CVE-2023-22797?
CVE-2023-22797 has a severity rating of medium.
How can CVE-2023-22797 be fixed?
CVE-2023-22797 can be fixed by updating to Rails version 7.0.4.1 or later.
Where can I find more information about CVE-2023-22797?
You can find more information about CVE-2023-22797 at the following link: https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
- collector/nvd-index
- agent/weakness
- vendor/actionpack project
- canonical/actionpack project actionpack
- version/actionpack project actionpack/7.0.0
- vendor/rubyonrails
- canonical/rubyonrails rails
- version/rubyonrails rails/7.0.0