CVE-2021-22881

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

History

07 Nov 2023, 03:30

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/', 'name': 'FEDORA-2021-b571fca1b8', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/ -

04 Jan 2022, 16:38

Type Values Removed Values Added
References (MLIST) http://www.openwall.com/lists/oss-security/2021/12/14/5 - (MLIST) http://www.openwall.com/lists/oss-security/2021/12/14/5 - Exploit, Mailing List, Patch

14 Dec 2021, 22:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/12/14/5 -

21 Sep 2021, 17:50

Type Values Removed Values Added
References (MLIST) http://www.openwall.com/lists/oss-security/2021/08/20/1 - (MLIST) http://www.openwall.com/lists/oss-security/2021/08/20/1 - Mailing List, Mitigation, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2021/05/05/2 - (MLIST) http://www.openwall.com/lists/oss-security/2021/05/05/2 - Mailing List, Mitigation, Third Party Advisory

20 Aug 2021, 03:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/08/20/1 -

06 May 2021, 14:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2021/05/05/2 -

23 Mar 2021, 19:50

Type Values Removed Values Added
References (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/ - Mailing List, Third Party Advisory
CPE cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

12 Mar 2021, 23:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/ -

17 Feb 2021, 20:52

Type Values Removed Values Added
CWE CWE-601
CPE cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.8
v3 : 6.1
References (MISC) https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 - (MISC) https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 - Mitigation, Patch, Vendor Advisory
References (MISC) https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/ - (MISC) https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/ - Patch, Third Party Advisory
References (MISC) https://hackerone.com/reports/1047447 - (MISC) https://hackerone.com/reports/1047447 - Exploit, Patch, Third Party Advisory

12 Feb 2021, 19:15

Type Values Removed Values Added
References
  • (MISC) https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/ -

11 Feb 2021, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-02-11 18:15

Updated : 2023-12-10 13:41


NVD link : CVE-2021-22881

Mitre link : CVE-2021-22881

CVE.ORG link : CVE-2021-22881


JSON object : View

Products Affected

rubyonrails

  • rails

fedoraproject

  • fedora
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')