CVE-2021-22903

{"id": "CVE-2021-22903", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2021-06-11T16:15:11.437", "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867", "tags": ["Mitigation", "Patch", "Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/1148025", "tags": ["Permissions Required", "Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-601"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain \"allowed host\" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, `config.hosts << \"sub.example.com\"` to permit a request with a Host header value of `sub-example.com`."}, {"lang": "es", "value": "El actionpack ruby gem versiones anteriores a 6.1.3.2, sufre una posible vulnerabilidad de redireccionamiento abierto. Las cabeceras de Host especialmente dise\u00f1adas en combinaci\u00f3n con determinados formatos \"allowed host\" pueden hacer que el middleware Host Authorization de Action Pack redirija a usuarios hacia un sitio web malicioso. Esto es similar a CVE-2021-22881. Las cadenas en config.hosts que no tienen un punto inicial se convierten en expresiones regulares sin un escape apropiado. Esto hace que, por ejemplo, \"config.hosts (( \"sub.example.com\"\" permita una petici\u00f3n con un valor de cabecera Host de \"sub-example.com\""}], "lastModified": "2021-10-21T14:32:48.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CAFC5D0-4073-430A-B9A1-5CF37A75EC7F", "versionEndExcluding": "6.1.3.2", "versionStartIncluding": "6.1.1"}, {"criteria": "cpe:2.3:a:rubyonrails:rails:6.1.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4431B78-31D7-4845-920B-238B355BF890"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}