CVE-2021-22942
medium
CVSS v3
—
CVSS v2
—
VIR risk
5.5
Description
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-22942
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 14.5.0-1 | |
| debian | bookworm | fixed | 2:6.1.4.1+dfsg-3 |
| debian | bullseye | fixed | 2:6.0.3.7+dfsg-2+deb11u1 |
| debian | forky | fixed | 2:6.1.4.1+dfsg-3 |
| debian | sid | fixed | 2:6.1.4.1+dfsg-3 |
| debian | trixie | fixed | 2:6.1.4.1+dfsg-3 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | !< 6.0.0||<~> 6.0.4, >= 6.0.4.1 | ~> 6.0.4, >= 6.0.4.1 |
| RubyGems | actionpack | >=6.0.0,<6.0.4.1 | 6.0.4.1 |
| RubyGems | actionpack | >=6.1.0,<6.1.4.1 | 6.1.4.1 |
References
- https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
- https://nvd.nist.gov/vuln/detail/CVE-2021-22942
- https://access.redhat.com/security/cve/cve-2021-22942
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
- https://rubygems.org/gems/actionpack
- https://security.netapp.com/advisory/ntap-20240202-0005
- https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released
- https://www.debian.org/security/2023/dsa-5372
- http://www.openwall.com/lists/oss-security/2021/12/14/5
- https://security-tracker.debian.org/tracker/CVE-2021-22942
Verify integrity in audit chain (admin only). AS-IS.