ADVISORIES
GEM
FRAMEWORK
SEVERITY
CVSS v3.x: 7.6 (High)
UNAFFECTED VERSIONS
- < 6.0.0
PATCHED VERSIONS
- ~> 6.0.4, >= 6.0.4.1
- >= 6.1.4.1
DESCRIPTION
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.
Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1
Impact
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Releases
The fixed releases are available at the normal locations.
Workarounds
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
module ActionDispatch
class HostAuthorization
HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
private
def authorized?(request)
origin_host =
request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
forwarded_host =
request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
@permissions.allows?(origin_host) &&
(forwarded_host.blank? || @permissions.allows?(forwarded_host))
end
end
end