Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 809143 (CVE-2021-22942) - <dev-ruby/rails-{6.0.4.1,6.1.4.1}: Possible Open Redirect in Host Authorization Middleware (CVE-2021-22942)
Summary: <dev-ruby/rails-{6.0.4.1,6.1.4.1}: Possible Open Redirect in Host Authorizati...
Status: RESOLVED FIXED
Alias: CVE-2021-22942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-20 05:25 UTC by Hans de Graaff
Modified: 2021-08-29 13:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2021-08-20 05:25:35 UTC
Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.

Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1
Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Comment 1 John Helmert III gentoo-dev Security 2021-08-21 02:29:24 UTC
Thanks! Please cleanup when ready.
Comment 2 Hans de Graaff gentoo-dev 2021-08-29 06:42:12 UTC
Cleanup done.
Comment 3 John Helmert III gentoo-dev Security 2021-08-29 13:59:32 UTC
Thanks, all done!