Moderate severityNVD Advisory· Published Jan 7, 2022· Updated Aug 4, 2024
CVE-2021-44528
CVE-2021-44528
Description
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.0.0, < 6.0.4.2 | 6.0.4.2 |
actionpackRubyGems | >= 6.1.0, < 6.1.4.2 | 6.1.4.2 |
Affected products
4- Action Pack/Action Packdescription
- osv-coords3 versionspkg:bitnami/railspkg:gem/actionpackpkg:rpm/opensuse/rubygem-actionpack-6.0&distro=openSUSE%20Tumbleweed
>= 7.0.0-rc2, <= 7.0.0-rc2+ 2 more
- (no CPE)range: >= 7.0.0-rc2, <= 7.0.0-rc2
- (no CPE)range: >= 6.0.0, < 6.0.4.2
- (no CPE)range: < 6.0.4.4-1.1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-qphc-hf5q-v8fcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44528ghsaADVISORY
- www.debian.org/security/2023/dsa-5372ghsavendor-advisoryWEB
- github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.mdghsaWEB
- github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815ghsaWEB
- github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.ymlghsaWEB
- groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJghsaWEB
- groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJghsaWEB
- security.netapp.com/advisory/ntap-20240208-0003ghsaWEB
- security.netapp.com/advisory/ntap-20240208-0003/mitre
News mentions
0No linked articles in our index yet.