Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-22881 — Open Redirect in Rails

CWE-601 — Open Redirect12 documents8 sources

Severity

6.1MEDIUMNVD

EPSS

15.5%

top 5.34%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Rubyonrails Rails Actionpack Project Actionpack Https Github.com Rails Rails +1 more

Timeline

PublishedFeb 11

Latest updateDec 14

Description

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶RubyGemsactionpack_project/actionpack6.0.0 — 6.0.3.5+1

▶NVDrubyonrails/rails6.0.0 — 6.0.3.5+1

▶Debianrubyonrails/rails< 2:6.0.3.5+dfsg-1+3

▶CVEListV5https/github.com_rails_railsFixed in 6.1.2.1, 6.0.3.5, Fixed in 6.1.3.2+1

Also affects: Fedora 33

Patches

Patch: www.openwall.com ↗Patch: benjamin-bouchet.com ↗Patch: discuss.rubyonrails.org ↗

🔴Vulnerability Details

GHSA

actionpack Open Redirect in Host Authorization Middleware↗2021-12-14

▶

GHSA

Possible Open Redirect Vulnerability in Action Pack↗2021-05-05

▶

OSV

Actionpack Open Redirect Vulnerability↗2021-03-02

▶

GHSA

Actionpack Open Redirect Vulnerability↗2021-03-02

▶

CVEList

CVE-2021-22881: The Host Authorization middleware in Action Pack before 6↗2021-02-11

▶

💥Exploits & PoCs

Nuclei

Ruby on Rails - Open Redirect via Host Header Injection

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: Possible Open Redirect Vulnerability in Action Pack↗2021-05-05

▶

Red Hat

rubygem-actionpack: open redirect vulnerability may lead to confidentiality and integrity compromise↗2021-02-11

▶

Debian

CVE-2021-22881: rails - The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers...↗2021

▶

💬Community

HackerOne

The Host Authorization middleware in Action Pack is vulnerable to crafted X-Forwarded-Host values↗2021-11-18

▶