Description
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, `config.hosts << "sub.example.com"` to permit a request with a Host header value of `sub-example.com`.
References (2)
Core 2
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1148025
Mitigation, Patch, Vendor Advisory x_refsource_misc
https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
Scores
CVSS v3
6.1
EPSS
0.0010
EPSS Percentile
26.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (3)
rubygems/actionpack
6.1.0.rc2 - 6.1.3.2RubyGems
rubyonrails/rails
6.1.0 rc2
rubyonrails/rails
6.1.1 - 6.1.3.2
Published
Jun 11, 2021
Tracked Since
Feb 18, 2026