CVE-2021-22881

Опубликовано: 11 фев. 2021

Источник: nvd

CVSS3: 6.1

CVSS2: 5.8

EPSS Низкий

Описание

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

Ссылки

http://www.openwall.com/lists/oss-security/2021/05/05/2
Mailing List
Mitigation
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/20/1
Mailing List
Mitigation
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/14/5
Exploit
Mailing List
Patch
https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/
Patch
Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Mitigation
Patch
Vendor Advisory
https://hackerone.com/reports/1047447
Exploit
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
http://www.openwall.com/lists/oss-security/2021/05/05/2
Mailing List
Mitigation
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/08/20/1
Mailing List
Mitigation
Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/12/14/5
Exploit
Mailing List
Patch
https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/
Patch
Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Mitigation
Patch
Vendor Advisory
https://hackerone.com/reports/1047447
Exploit
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 6.0.0 (включая) до 6.0.3.5 (исключая)

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Версия от 6.1.0 (включая) до 6.1.2.1 (исключая)

Конфигурация 2

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.09022

Низкий

6.1 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-601

Связанные уязвимости

CVE-2021-22881

CVSS3: 6.1

ubuntu

почти 5 лет назад

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

CVE-2021-22881

CVSS3: 6.1

redhat

почти 5 лет назад

CVE-2021-22881

CVSS3: 6.1

debian

почти 5 лет назад

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3 ...

GHSA-8877-prq4-9xfw

CVSS3: 6.1

github

почти 5 лет назад

Actionpack Open Redirect Vulnerability

EPSS

Процентиль: 92%

0.09022

Низкий

6.1 Medium

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-601