CVE-2021-44528

A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type: GIT
Repo: https://github.com/rails/rails
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

5e52f65fe99c46d40602f2b46418a3f9fee2260e

Last affected

69e2e898478a1795913b8fda7cb95079228f8fb2

Last affected

9ef61211d7861093a69fa1fbfc2ba136abd37cd2

Affected versions

v0.*

v0.10.0

v0.10.1

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.14.1

v0.14.3

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.4.1

v0.9.5

v1.*

v1.1.0

v1.1.0_RC1

v1.1.1

v2.*

v2.0.0

v2.0.0_PR

v2.0.0_RC1

v2.0.0_RC2

v2.0.1

v2.1.0

v2.1.0_RC1

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.2.1

v3.*

v3.0.0.beta.2

v3.0.0.beta.3

v3.0.0.beta1

v3.0.0.beta2

v3.0.0.beta3

v3.0.0.beta4

v3.0.0_RC

v3.1.0.beta1

v3.1.0.rc1

v3.2.0.rc1

v4.*

v4.0.0.beta1

v4.0.0.rc1

v4.1.0.beta1

v4.1.0.beta2

v4.2.0.beta1

v4.2.0.beta4

v5.*

v5.0.0.beta1

v5.0.0.beta1.1

v5.0.0.beta2

v5.0.0.beta3

v5.0.0.beta4

v5.0.0.rc1

v5.1.0.beta1

v6.*

v6.0.0

v6.0.0.beta1

v6.0.0.beta2

v6.0.0.beta3

v6.0.0.rc1

v6.0.1.rc1

v6.0.2

v6.0.2.1

v6.0.2.2

v6.0.2.rc1

v6.0.2.rc2

v6.0.3

v6.0.3.1

v6.0.3.2

v6.0.3.3

v6.0.3.4

v6.0.3.5

v6.0.3.6

v6.0.3.7

v6.0.3.rc1

v6.0.4

v6.0.4.1

v6.0.4.2

v6.1.0

v6.1.0.rc1

v6.1.0.rc2

v6.1.1

v6.1.2

v6.1.2.1

v6.1.3

v6.1.3.1

v6.1.3.2

v6.1.4

v6.1.4.1

v6.1.4.2

v7.*

v7.0.0.alpha1

v7.0.0.alpha2

v7.0.0.rc1

v7.0.0.rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44528.json"