RubySec

Providing security resources for the Ruby community

CVE-2021-22903 (actionpack): Possible Open Redirect Vulnerability in Action Pack

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v3: 6.1 (Medium)

UNAFFECTED VERSIONS

  • < 6.1.0.rc2

PATCHED VERSIONS

  • >= 6.1.3.2

DESCRIPTION

There is a possible Open Redirect Vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22903.

Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2

Impact

This is similar to CVE-2021-22881: Specially crafted Host headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts « “sub.example.com” to permit a request with a Host header value of sub-example.com.

Workarounds

The following monkey patch put in an initializer can be used as a workaround:

class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end