Open Redirect in ActionPack

Overview

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.

Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1

Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.

Releases

The fixed releases are available at the normal locations.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

module ActionDispatch
  class HostAuthorization
    HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
    VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
    VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/

    private
      def authorized?(request)
        origin_host =
          request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
        forwarded_host =
          request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
        @permissions.allows?(origin_host) &&
          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
      end
  end
end

Cross-site scripting in actionpack

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Workarounds

Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb: config.middleware.delete ActionDispatch::ActionableExceptions

Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.

Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. Impacted code will look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 5-2-http-authentication-dos.patch - Patch for 5.2 series
• 6-0-http-authentication-dos.patch - Patch for 6.0 series
• 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!

Possible Strong Parameters Bypass in ActionPack

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying untrusted hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

Actionpack Open Redirect Vulnerability

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases

The FIXED releases are available at the normal locations. Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Cross-site Scripting in actionpack

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Untrusted users can run pending migrations in production in Rails

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2

Impact

Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run.

Workarounds

Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

Denial of Service in Action Dispatch

Impact

There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue.

module Mime
  class Type
    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series
• 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Security Curious security...@pm.me for reporting this!

Action Pack contains Information Disclosure / Unintended Method Execution vulnerability

Impact

There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input.

Vulnerable code will look like this.

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example,

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end

Or force the user input to be cast to a string like this,

def index
  redirect_to(params[:some_param].to_s)
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 5-2-information-disclosure.patch - Patch for 5.2 series
• 6-0-information-disclosure.patch - Patch for 6.0 series
• 6-1-information-disclosure.patch - Patch for 6.1 series

Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Benoit Côté-Jodoin from Shopify for reporting this.

Ability to forge per-form CSRF tokens in Rails

It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Cross-site Scripting Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as HTML responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 Impact

Specially crafted cookies, in combination with a specially crafted XFORWARDEDHOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases

The FIXED releases are available at the normal locations. Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious XFORWARDEDHOST headers before they reach the application. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

actionpack Open Redirect in Host Authorization Middleware

Specially crafted X-Forwarded-Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Exposure of information in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end

Possible Strong Parameters Bypass in ActionPack

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying untrusted hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

Ability to forge per-form CSRF tokens given a global CSRF token

It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Untrusted users able to run pending migrations in production

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

This vulnerability has been assigned the CVE identifier CVE-2020-8185.

Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2

Impact

Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already ran.

Workarounds

Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

Possible XSS Vulnerability in Action Pack in Development Mode

There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.4

Impact

When an application is running in development mode, and attacker can send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application.

Workarounds

Until such time as the patch can be applied, application developers should disable the Actionable Exceptions middleware in their development environment via a line such as this one in their config/environment/development.rb:

config.middleware.delete ActionDispatch::ActionableExceptions

Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22881.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.1.2.1, 6.0.3.5

Impact

Specially crafted Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.tkte.ch'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used in an initializer:

module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
      end
  end
end

Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885.

Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end

def index
  redirect_to(check(params[:some_param]))
end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

Possible Denial of Service vulnerability in Action Dispatch

There is a possible Denial of Service vulnerability in the Mime type parser of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2021-22902.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.7, 6.1.3.2

Impact

There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module Mime
  class Type
    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end

Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2021-22904.

Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. Impacted code will look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.

Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1

Impact

Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.

Releases

The fixed releases are available at the normal locations.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

module ActionDispatch
  class HostAuthorization
    HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
    VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
    VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/

    private
      def authorized?(request)
        origin_host =
          request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
        forwarded_host =
          request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
        @permissions.allows?(origin_host) &&
          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
      end
  end
end

Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.

Specially crafted X-Forwarded-Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Possible XSS Vulnerability in Action Pack

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

CSP headers were only sent along with responses that Rails considered as HTML responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Set a CSP for your API responses manually.

Possible exposure of information vulnerability in Action Pack

Impact

Under certain circumstances response bodies will not be closed, for example a bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end

ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

Specially crafted cookies, in combination with a specially crafted XFORWARDEDHOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious XFORWARDEDHOST headers before they reach the application.

ReDoS based DoS vulnerability in Action Dispatch

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.

Possible XSS via User Supplied Values to redirect_to

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.