CVE-2023-28362
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-28362
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-28362.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2:6.1.7.10+dfsg-1~deb12u1 |
| debian | bullseye | fixed | 2:6.0.3.7+dfsg-2+deb11u3 |
| debian | forky | fixed | 2:7.2.2.1+dfsg-1 |
| debian | sid | fixed | 2:7.2.2.1+dfsg-1 |
| debian | trixie | fixed | 2:7.2.2.1+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | <~> 6.1.7.4 | ~> 6.1.7.4 |
| RubyGems | actionpack | <6.1.7.4 | 6.1.7.4 |
| RubyGems | actionpack | >=7.0.0,<7.0.5.1 | 7.0.5.1 |
References
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://www.suse.com/security/cve/CVE-2023-28362.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-28362
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
- https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
- https://security.netapp.com/advisory/ntap-20250502-0009
- https://security-tracker.debian.org/tracker/CVE-2023-28362
Verify integrity in audit chain (admin only). AS-IS.