ghsa-2rqw-v265-jf8c
Vulnerability from github
Overview
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.
Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1
Impact
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
ruby
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Releases
The fixed releases are available at the normal locations.
Workarounds
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
```ruby module ActionDispatch class HostAuthorization HOSTNAME = /[a-z0-9.-]+|[[a-f0-9]*:[a-f0-9.:]+]/i VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/ VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
private
def authorized?(request)
origin_host =
request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
forwarded_host =
request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
@permissions.allows?(origin_host) &&
(forwarded_host.blank? || @permissions.allows?(forwarded_host))
end
end end ```
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.4"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.4"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22942"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-26T20:36:25Z",
"nvd_published_at": "2021-10-18T13:15:00Z",
"severity": "MODERATE"
},
"details": "# Overview\n\nThere is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.\n\nVersions Affected: \u003e= 6.0.0.\nNot affected: \u003c 6.0.0\nFixed Versions: 6.1.4.1, 6.0.4.1\n\n# Impact\n\nSpecially crafted \u201cX-Forwarded-Host\u201d headers in combination with certain \u201callowed host\u201d formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.\n\nImpacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:\n\n```ruby\nconfig.hosts \u003c\u003c \u0027.EXAMPLE.com\u0027\n```\n\nWhen an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.\n\nThis vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nIn the case a patch can\u2019t be applied, the following monkey patch can be used in an initializer:\n\n```ruby\nmodule ActionDispatch\n class HostAuthorization\n HOSTNAME = /[a-z0-9.-]+|\\[[a-f0-9]*:[a-f0-9.:]+\\]/i\n VALID_ORIGIN_HOST = /\\A(#{HOSTNAME})(?::\\d+)?\\z/\n VALID_FORWARDED_HOST = /(?:\\A|,[ ]?)(#{HOSTNAME})(?::\\d+)?\\z/\n\n private\n def authorized?(request)\n origin_host =\n request.get_header(\"HTTP_HOST\")\u0026.slice(VALID_ORIGIN_HOST, 1) || \"\"\n forwarded_host =\n request.x_forwarded_host\u0026.slice(VALID_FORWARDED_HOST, 1) || \"\"\n @permissions.allows?(origin_host) \u0026\u0026\n (forwarded_host.blank? || @permissions.allows?(forwarded_host))\n end\n end\nend\n```\n",
"id": "GHSA-2rqw-v265-jf8c",
"modified": "2024-02-02T16:47:01Z",
"published": "2021-08-26T20:36:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22942"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2021-22942"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/actionpack"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240202-0005"
},
{
"type": "WEB",
"url": "https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/12/14/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open Redirect in ActionPack"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.