What is CVE-2021-22881?

CVE-2021-22881 is a vulnerability in Https://github.com/rails/rails, classified under URL Redirection to Untrusted Site (Open Redirect). Published 2021-02-11.

Is CVE-2021-22881 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Open Redirect in Https://github.com/rails/rails

CVE-2021-22881

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization midd…

Vulnerability class: Open Redirect

EPSS: 0.872 (99.7th percentile) — read the EPSS interpretation.

Affected products

N/a Https://github.com/rails/rails — versions Fixed in 6.1.2.1, 6.0.3.5

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

Public proof-of-concept exploits

References

hackerone.com/reports/1047447 (x_refsource_MISC)
discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authori… (x_refsource_MISC)
benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hosta… (x_refsource_MISC)
FEDORA-2021-b571fca1b8 (vendor-advisory, x_refsource_FEDORA)
[oss-security] 20210505 [CVE-2021-22903] Possible Open Redirect Vulnerability in Action Pack (mailing-list, x_refsource_MLIST)
[oss-security] 20210819 [CVE-2021-22942] Possible Open Redirect in Host Authorization Middleware (mailing-list, x_refsource_MLIST)
[oss-security] 20211214 [CVE-2021-44528] Possible Open Redirect in Host Authorization Middleware (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-22881?: CVE-2021-22881 is a vulnerability in Https://github.com/rails/rails, classified under URL Redirection to Untrusted Site (Open Redirect). Published 2021-02-11.
Is CVE-2021-22881 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.