CVSS v3.x: 6.1 (Medium)
- < 7.0.0
- >= 188.8.131.52
There is a vulnerability in Action Controller’s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.
Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 184.108.40.206
There is a possible open redirect when using the redirect_to helper with untrusted user input.
Vulnerable code will look like this:
Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.
All users running an affected release should either upgrade or use one of the workarounds immediately.
There are no feasible workarounds for this issue.