CVE-2023-28362

Source
https://cve.org/CVERecord?id=CVE-2023-28362
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28362.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28362
Aliases
Downstream
Related
Published
2025-01-09T00:33:47.730Z
Modified
2026-07-08T07:34:21.099521399Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28362.json",
    "cna_assigner": "hackerone"
}
References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "7.0.5.1"
        },
        {
            "last_affected": "7.0.5.1"
        },
        {
            "introduced": "6.1.7.4"
        },
        {
            "last_affected": "6.1.7.4"
        }
    ]
}

Affected versions

6.*
6.1.7.4
7.*
7.0.5.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28362.json"