CVE-2023-28362
Cross-site Scripting vulnerability in actionpack (RubyGems)
What is CVE-2023-28362 About?
The 'redirect_to' method in Rails allows invalid characters in HTTP header values, leading to XSS potential on static redirection pages if downstream services remove the Location header. This requires user interaction and configuring Rails to allow external redirects, making exploitation moderately complex. It also implies an underlying Cross-site Scripting vulnerability.
Affected Software
- actionpack
- <6.1.7.4
- >=7.0.0, <7.0.5.1
Technical Details
The redirect_to method in Rails, across all versions prior to 7.0.5.1 and 6.1.7.4, does not adequately validate or sanitize values provided for redirection, allowing characters that are illegal in HTTP header values to be injected. When such an invalid Location header is generated, downstream HTTP intermediaries (e.g., proxies or load balancers) that strictly enforce RFC compliance may strip or modify this header. If the Location header is removed, the subsequent response becomes a static page, and if the original redirect value contained an XSS payload (e.g., javascript:alert(1)), this payload can then be executed on the now static redirection page. This chain of events requires user interaction and for the Rails application to be explicitly configured to allow redirects to external hosts (not the default in Rails >= 7.0.x).
What is the Impact of CVE-2023-28362?
Successful exploitation may allow attackers to deliver a Cross-site Scripting (XSS) payload to affected users. This can lead to session hijacking, defacement, or redirection to malicious sites, impacting user confidentiality and integrity.
What is the Exploitability of CVE-2023-28362?
Exploitation is of moderate complexity, relying on several specific conditions. It requires user interaction to click on a malicious link or trigger the redirect, and the Rails application must be configured to allow redirects to external hosts (which is not the default in newer Rails versions). No specific authentication is required at the point of injection if the redirect_to argument is user-controlled. The attack is remote, as it involves crafting a URL that triggers the redirect. Special conditions include the user clicking the link, an external redirect being allowed, and an intermediary server stripping the Location header due to invalid characters. Risk factors include lax Rails configurations and user susceptibility to social engineering.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28362?
Available Upgrade Options
- actionpack
- <6.1.7.4 → Upgrade to 6.1.7.4
- actionpack
- >=7.0.0, <7.0.5.1 → Upgrade to 7.0.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4g8v-vg43-wpgf
- https://security.netapp.com/advisory/ntap-20250502-0009
- https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://security.netapp.com/advisory/ntap-20250502-0009/
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/advisories/GHSA-4g8v-vg43-wpgf
- https://nvd.nist.gov/vuln/detail/CVE-2023-28362
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
What are Similar Vulnerabilities to CVE-2023-28362?
Similar Vulnerabilities: CVE-2022-40754 , CVE-2021-38556 , CVE-2020-13935 , CVE-2018-1323 , CVE-2016-10002
