GHSA-2rqw-v265-jf8c

Source

https://github.com/advisories/GHSA-2rqw-v265-jf8c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-2rqw-v265-jf8c/GHSA-2rqw-v265-jf8c.json

Aliases

CVE-2021-22942

Published

2021-08-26T20:36:51Z

Modified

2024-02-21T05:31:33.873268Z

Details

Overview

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.

Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1

Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.

Releases

The fixed releases are available at the normal locations.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

module ActionDispatch
  class HostAuthorization
    HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
    VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
    VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/

    private
      def authorized?(request)
        origin_host =
          request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
        forwarded_host =
          request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
        @permissions.allows?(origin_host) &&
          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
      end
  end
end

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.4.1

Affected versions

6.*

6.0.0

6.0.1.rc1

6.0.1

6.0.2.rc1

6.0.2.rc2

6.0.2

6.0.2.1

6.0.2.2

6.0.3.rc1

6.0.3

6.0.3.1

6.0.3.2

6.0.3.3

6.0.3.4

6.0.3.5

6.0.3.6

6.0.3.7

6.0.4

Database specific

{
    "last_known_affected_version_range": "<= 6.0.4"
}

RubyGems / actionpack

Package

Name: actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.4.1

Affected versions

6.*

6.1.0

6.1.1

6.1.2

6.1.2.1

6.1.3

6.1.3.1

6.1.3.2

6.1.4

Database specific

{
    "last_known_affected_version_range": "<= 6.1.4"
}