CVE-2021-22942
open redirect vulnerability in actionpack (RubyGems)
What is CVE-2021-22942 About?
This open redirect vulnerability in Action Pack's Host Authorization middleware allows attackers to redirect users to malicious websites. By crafting 'X-Forwarded-Host' headers in conjunction with specifically formatted 'allowed host' configurations, users can be unwittingly sent to attacker-controlled sites, making exploitation moderately easy. The impact is phishing and further compromise through social engineering.
Affected Software
- actionpack
- >=6.1.0, <6.1.4.1
- >=6.0.0, <6.0.4.1
Technical Details
The vulnerability lies within the Host Authorization middleware in Action Pack, affecting versions >= 6.0.0. Specifically, applications configured with an 'allowed host' that includes a leading dot (e.g., .EXAMPLE.com) are vulnerable. An attacker can craft a malicious X-Forwarded-Host header that, when processed by the vulnerable middleware, bypasses the intended host authorization checks. This bypass allows the application to interpret a seemingly legitimate hostname as part of the allowed domain, but then redirect to an attacker-controlled external domain. For instance, if .EXAMPLE.com is allowed, an attacker might send an X-Forwarded-Host header like malicious.site.EXAMPLE.com. The middleware incorrectly processes this, and if the application then constructs a redirect URL using parts of this header, it could lead to https://malicious.site instead of navigating within .EXAMPLE.com.
What is the Impact of CVE-2021-22942?
Successful exploitation may allow attackers to redirect users to malicious websites, facilitating phishing attacks, credential theft, and the delivery of malware, thereby compromising user accounts and device security.
What is the Exploitability of CVE-2021-22942?
Exploitation involves crafting specific HTTP headers (specifically X-Forwarded-Host) and sending them to the target application. No authentication or specific privileges are required, making it an unauthenticated remote attack. The complexity is moderate, as it requires knowledge of the target application's allowed host configurations and how to manipulate HTTP headers. The primary prerequisite is the ability to send HTTP requests to the target application. Risk factors are significantly increased if the application's configuration includes allowed hosts with a leading dot, as this specific configuration pattern enables the bypass.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-22942?
Available Upgrade Options
- actionpack
- >=6.0.0, <6.0.4.1 → Upgrade to 6.0.4.1
- actionpack
- >=6.1.0, <6.1.4.1 → Upgrade to 6.1.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
- https://security.netapp.com/advisory/ntap-20240202-0005
- https://nvd.nist.gov/vuln/detail/CVE-2021-22942
- https://rubygems.org/gems/actionpack
- https://osv.dev/vulnerability/GHSA-2rqw-v265-jf8c
- https://security.netapp.com/advisory/ntap-20240202-0005/
- http://www.openwall.com/lists/oss-security/2021/12/14/5
- https://github.com/rails/rails
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
What are Similar Vulnerabilities to CVE-2021-22942?
Similar Vulnerabilities: CVE-2021-22881 , CVE-2020-8199 , CVE-2018-1000600 , CVE-2016-2090 , CVE-2014-0107
