CVE-2021-44528
A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
| Software | From | Fixed in |
|---|---|---|
| rubyonrails / rails | 7.0.0-rc2 | 7.0.0-rc2.x |
| rubyonrails / rails | 6.1.4.2 | 6.1.4.2.x |
| rubyonrails / rails | 6.0.4.2 | 6.0.4.2.x |
actionpack
|
6.0.0 | 6.0.4.2 |
|
actionpack
|
6.1.0 | 6.1.4.2 |
- https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
- https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
- https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
- https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
- https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
- https://security.netapp.com/advisory/ntap-20240208-0003/
- https://www.debian.org/security/2023/dsa-5372
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime