VYPR
Moderate severityNVD Advisory· Published Jun 11, 2021· Updated Aug 3, 2024

CVE-2021-22903

CVE-2021-22903

Description

The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
>= 6.1.0.rc2, < 6.1.3.26.1.3.2

Affected products

2
  • actionpack/actionpack ruby gemdescription
  • ghsa-coords
    Range: >= 6.1.0.rc2, < 6.1.3.2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.