6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22903

GHSA ID

GHSA-5hq2-xf89-9jxq

EPSS Score

0.36554%

CWE

CWE-601

Published

5/5/2021

Updated

8/17/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-22903

CVE-2021-22903: Possible Open Redirect Vulnerability in Action Pack

There is a possible Open Redirect Vulnerability in Action Pack.

Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2

Impact

This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch put in an initializer can be used as a workaround.

class ActionDispatch::HostAuthorization::Permissions
  def sanitize_string(host)
    if host.start_with?(".")
      /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
    else
      /\A#{Regexp.escape host}\z/i
    end
  end
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-open-redirect.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-22903

GHSA ID

GHSA-5hq2-xf89-9jxq

EPSS Score

0.36554%

CWE

CWE-601

Published

5/5/2021

Updated

8/17/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
actionpack	rubygems	>= 6.1.0.rc2, < 6.1.3.2	6.1.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper regex escaping in host validation logic. The workaround explicitly patches the sanitize_string method to add Regexp.escape, and the advisory explains that non-dot-prefixed hosts were converted to unsafe regex patterns. This function is directly responsible for processing allowed hosts into match patterns, making it the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * possi*l* Op*n R**ir**t Vuln*r**ility in **tion P**k. V*rsions *****t**: >= v*.*.*.r** Not *****t**: < v*.*.*.r** *ix** V*rsions: *.*.*.* Imp**t ------ T*is is simil*r to *V*-****-*****. Sp**i*lly *r**t** *ost *****rs in *om*in

Reasoning

T** vuln*r**ility st*ms *rom improp*r r***x *s**pin* in *ost v*li**tion lo*i*. T** work*roun* *xpli*itly p*t***s t** s*nitiz*_strin* m*t*o* to *** R***xp.*s**p*, *n* t** **visory *xpl*ins t**t non-*ot-pr**ix** *osts w*r* *onv*rt** to uns*** r***x p*t

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-22903: Possible Open Redirect Vulnerability in Action Pack

Impact

Releases

Workarounds

Patches

Credits

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI