CVSS v3.x: 6.1 (Medium)
- < 6.0.0
- ~> 6.0.3, >= 220.127.116.11
- >= 18.104.22.168
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22881.
Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 22.214.171.124, 126.96.36.199
Specially crafted "Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.tkte.ch'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
module ActionDispatch class HostAuthorization private def authorized?(request) valid_host = / \A (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\]) (:\d+)? \z /x origin_host = valid_host.match( request.get_header("HTTP_HOST").to_s.downcase) forwarded_host = valid_host.match( request.x_forwarded_host.to_s.split(/,\s?/).last) origin_host && @permissions.allows?(origin_host[:host]) && ( forwarded_host.nil? || @permissions.allows?(forwarded_host[:host])) end end end