Medium severity4.0OSV Advisory· Published Jan 9, 2025· Updated Apr 15, 2026
CVE-2023-28362
CVE-2023-28362
Description
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | < 6.1.7.4 | 6.1.7.4 |
actionpackRubyGems | >= 7.0.0, < 7.0.5.1 | 7.0.5.1 |
Affected products
11- Range: v0.10.0, v0.10.1, v0.11.0, …
- ghsa-coords10 versionspkg:gem/actionpackpkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5
< 6.1.7.4+ 9 more
- (no CPE)range: < 6.1.7.4
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 4.2.9-7.18.1
- (no CPE)range: < 4.2.9-7.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
- (no CPE)range: < 5.1.4-150000.3.18.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-4g8v-vg43-wpgfnvdADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28362ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132nvdWEB
- github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441nvdWEB
- github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5nvdWEB
- github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.ymlghsaWEB
- security.netapp.com/advisory/ntap-20250502-0009ghsaWEB
- security.netapp.com/advisory/ntap-20250502-0009/nvd
News mentions
0No linked articles in our index yet.