BIT-rails-2021-44528
Open Redirect vulnerability in actionpack (RubyGems)
What is BIT-rails-2021-44528 About?
This vulnerability allows for an Open Redirect when specially crafted 'X-Forwarded-Host' headers are combined with specific 'allowed host' formats. It can redirect users to malicious websites, posing a medium risk due to its reliance on specific application configurations, but can be exploited with moderate ease. The issue arises when an allowed host is configured with a leading dot, enabling the bypass of host authorization checks.
Affected Software
- actionpack
- >=6.0.0, <6.0.4.2
- >=6.1.0, <6.1.4.2
Technical Details
The vulnerability lies within the Host Authorization middleware in Action Pack when processing 'X-Forwarded-Host' headers in conjunction with 'allowed host' configurations that contain a leading dot (e.g., '.EXAMPLE.com'). An attacker can craft an 'X-Forwarded-Host' header to trick the application into believing the host is legitimate while actually pointing to an arbitrary malicious domain. When the application then generates a redirect, it uses the manipulated host, directing the user to the attacker-controlled site. This bypasses the intended host validation because the leading dot in the allowed host configuration permits subdomains or manipulations that can be exploited by carefully constructed 'X-Forwarded-Host' values.
What is the Impact of BIT-rails-2021-44528?
Successful exploitation may allow attackers to redirect users to arbitrary malicious websites, leading to phishing attacks, credential theft, or drive-by downloads, compromising user trust and potentially leading to further system compromise.
What is the Exploitability of BIT-rails-2021-44528?
Exploitation of this vulnerability requires the attacker to craft specific 'X-Forwarded-Host' headers. The complexity is moderate, as it relies on a specific configuration where 'allowed hosts' have a leading dot. No authentication is required, and access can be entirely remote, as it involves manipulating HTTP headers. The primary constraint is the target application's specific 'allowed host' configuration. The presence of such a configuration significantly increases the likelihood of a successful exploit.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-rails-2021-44528?
Available Upgrade Options
- actionpack
- >=6.0.0, <6.0.4.2 → Upgrade to 6.0.4.2
- actionpack
- >=6.1.0, <6.1.4.2 → Upgrade to 6.1.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-44528
- https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
- https://github.com/rails/rails
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
- https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
- https://security.netapp.com/advisory/ntap-20240208-0003
What are Similar Vulnerabilities to BIT-rails-2021-44528?
Similar Vulnerabilities: CVE-2021-22881 , CVE-2021-22942 , CVE-2020-8193 , CVE-2020-8277 , CVE-2016-1000030
