Possible Open Redirect in Host Authorization Middleware There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942. Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1 Impact Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this: config.hosts << '.EXAMPLE.com' When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website. This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Thanks! Please cleanup when ready.
Cleanup done.
Thanks, all done!