CVE-2021-22881.yml

---
gem: actionpack
framework: rails
cve: 2021-22881
ghsa: 8877-prq4-9xfw
url: https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E
title: Possible Open Redirect in Host Authorization Middleware
date: 2021-02-10
description: |
  There is a possible open redirect vulnerability in the Host Authorization
  middleware in Action Pack. This vulnerability has been assigned the CVE
  identifier CVE-2021-22881.

  Versions Affected:  >= 6.0.0
  Not affected:       < 6.0.0
  Fixed Versions:     6.1.2.1, 6.0.3.5

  Impact
  ------
  Specially crafted "Host" headers in combination with certain "allowed host"
  formats can cause the Host Authorization middleware in Action Pack to redirect
  users to a malicious website.

  Impacted applications will have allowed hosts with a leading dot.  For
  example, configuration files that look like this:

  ```
  config.hosts <<  '.tkte.ch'
  ```

  When an allowed host contains a leading dot, a specially crafted Host header
  can be used to redirect to a malicious website.

  Workarounds
  -----------
  In the case a patch can't be applied, the following monkey patch can be used
  in an initializer:

  ```ruby
  module ActionDispatch
    class HostAuthorization
      private
        def authorized?(request)
          valid_host = /
            \A
            (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
            (:\d+)?
            \z
          /x

          origin_host = valid_host.match(
            request.get_header("HTTP_HOST").to_s.downcase)
          forwarded_host = valid_host.match(
            request.x_forwarded_host.to_s.split(/,\s?/).last)

          origin_host && @permissions.allows?(origin_host[:host]) && (
            forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
        end
    end
  end
  ```
cvss_v3: 6.1
unaffected_versions:
  - "< 6.0.0"
patched_versions:
  - "~> 6.0.3, >= 6.0.3.5"
  - ">= 6.1.2.1"