GHSA-8877-prq4-9xfw

Suggest an improvement
Source
https://github.com/advisories/GHSA-8877-prq4-9xfw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-8877-prq4-9xfw/GHSA-8877-prq4-9xfw.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8877-prq4-9xfw
Aliases
Published
2021-03-02T03:44:17Z
Modified
2024-02-20T05:32:38.542795Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Actionpack Open Redirect Vulnerability
Details

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.0.3.5

Affected versions

6.*

6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4

Database specific

{
    "last_known_affected_version_range": "<= 6.0.3.4"
}

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2.1

Affected versions

6.*

6.1.0
6.1.1
6.1.2

Database specific

{
    "last_known_affected_version_range": "<= 6.1.2.0"
}