High severityOSV Advisory· Published Sep 12, 2021· Updated Sep 16, 2024
Open Redirect
CVE-2021-23435
Description
This affects the package clearance before 2.5.0. The vulnerability can be possible when users are able to set the value of session[:return_to]. If the value used for return_to contains multiple leading slashes (/////example.com) the user ends up being redirected to the external domain that comes after the slashes (http://example.com).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
clearanceRubyGems | < 2.5.0 | 2.5.0 |
Affected products
2- Range: 0.4.9, 0.5.1, 0.5.2, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4hpq-rjcx-7vj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23435ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/clearance/CVE-2021-23435.ymlghsaWEB
- github.com/thoughtbot/clearance/pull/945ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-RUBY-CLEARANCE-1577284ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.