Open Redirect Affecting rails package, versions <2:6.0.3.5+dfsg-1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.26% (67th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN13-RAILS-5694332
  • published13 Feb 2021
  • disclosed11 Feb 2021

Introduced: 11 Feb 2021

CVE-2021-22881  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade Debian:13 rails to version 2:6.0.3.5+dfsg-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rails package and not the rails package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

CVSS Scores

version 3.1