High severityNVD Advisory· Published May 27, 2021· Updated Aug 3, 2024
CVE-2021-22885
CVE-2021-22885
Description
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the redirect_to or polymorphic_urlhelper with untrusted user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 |
actionpackRubyGems | >= 6.1.0, < 6.1.3.2 | 6.1.3.2 |
actionpackRubyGems | >= 5.2.5, < 5.2.6 | 5.2.6 |
actionpackRubyGems | >= 2.0.0, < 5.2.4.6 | 5.2.4.6 |
Affected products
13- Action Pack/Action Packdescription
- ghsa-coords12 versionspkg:gem/actionpackpkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-actionpack-6.0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-actionpack-3_2&distro=SUSE%20WebYast%201.3pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3
>= 6.0.0, < 6.0.3.7+ 11 more
- (no CPE)range: >= 6.0.0, < 6.0.3.7
- (no CPE)range: < 5.1.4-lp152.5.6.1
- (no CPE)range: < 5.1.4-3.9.1
- (no CPE)range: < 6.0.4.4-1.1
- (no CPE)range: < 3.2.12-0.27.3.1
- (no CPE)range: < 4.2.9-7.12.1
- (no CPE)range: < 4.2.9-7.12.1
- (no CPE)range: < 4.2.9-7.12.1
- (no CPE)range: < 5.1.4-3.9.1
- (no CPE)range: < 5.1.4-3.9.1
- (no CPE)range: < 5.1.4-3.9.1
- (no CPE)range: < 5.1.4-3.9.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-hjg4-8q5f-x6fmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22885ghsaADVISORY
- www.debian.org/security/2021/dsa-4929mitrevendor-advisoryx_refsource_DEBIAN
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/NiQl-48cXYIghsaWEB
- hackerone.com/reports/1106652ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210805-0009ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.