An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.
References
Link | Resource |
---|---|
https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127 | Not Applicable |
Configurations
Configuration 1 (hide)
|
History
21 Feb 2023, 15:50
Type | Values Removed | Values Added |
---|---|---|
First Time |
Actionpack Project
Rubyonrails rails Actionpack Project actionpack Rubyonrails |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.1 |
References | (MISC) https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127 - Not Applicable | |
CWE | CWE-601 | |
CPE | cpe:2.3:a:actionpack_project:actionpack:*:*:*:*:*:ruby:*:* cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* |
09 Feb 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-09 20:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-22797
Mitre link : CVE-2023-22797
CVE.ORG link : CVE-2023-22797
JSON object : View
Products Affected
rubyonrails
- rails
actionpack_project
- actionpack
CWE
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')