Ruby/actionpack/6.1.3
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
https://rubygems.org/gems/actionpack
MIT
23 Security Vulnerabilities
Open Redirect in ActionPack
- https://nvd.nist.gov/vuln/detail/CVE-2021-22942
- https://github.com/advisories/GHSA-2rqw-v265-jf8c
- https://access.redhat.com/security/cve/cve-2021-22942
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml
- https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c
- https://rubygems.org/gems/actionpack
- https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
- http://www.openwall.com/lists/oss-security/2021/12/14/5
- https://www.debian.org/security/2023/dsa-5372
- https://security.netapp.com/advisory/ntap-20240202-0005/
Overview
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.
Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1
Impact
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Releases
The fixed releases are available at the normal locations.
Workarounds
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
module ActionDispatch
class HostAuthorization
HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
private
def authorized?(request)
origin_host =
request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
forwarded_host =
request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
@permissions.allows?(origin_host) &&
(forwarded_host.blank? || @permissions.allows?(forwarded_host))
end
end
end
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
- https://github.com/advisories/GHSA-4g8v-vg43-wpgf
The redirect_to
method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Possible Open Redirect Vulnerability in Action Pack
- https://github.com/rails/rails/releases/tag/v6.1.3.2
- https://nvd.nist.gov/vuln/detail/CVE-2021-22903
- https://github.com/advisories/GHSA-5hq2-xf89-9jxq
- https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
- https://hackerone.com/reports/1148025
- https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
There is a possible Open Redirect Vulnerability in Action Pack.
Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2
Impact
This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain allowed host
formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious
website.
Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << sub.example.com
to permit a request with a Host header value of sub-example.com.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch put in an initializer can be used as a workaround.
class ActionDispatch::HostAuthorization::Permissions
def sanitize_string(host)
if host.start_with?(".")
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
else
/\A#{Regexp.escape host}\z/i
end
end
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-1-open-redirect.patch - Patch for 6.1 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!
Possible DoS Vulnerability in Action Controller Token Authentication
- https://github.com/rails/rails/releases/tag/v5.2.4.6
- https://nvd.nist.gov/vuln/detail/CVE-2021-22904
- https://github.com/advisories/GHSA-7wjx-3g7j-8584
- https://github.com/rails/rails/releases/tag/v5.2.6
- https://github.com/rails/rails/releases/tag/v6.0.3.7
- https://github.com/rails/rails/releases/tag/v6.1.3.2
- https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
- https://hackerone.com/reports/1101125
- https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
- https://security.netapp.com/advisory/ntap-20210805-0009/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller.
Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
Impacted code uses authenticate_or_request_with_http_token
or authenticate_with_http_token
for request authentication. Impacted code will look something like this:
class PostsController < ApplicationController
before_action :authenticate
private
def authenticate
authenticate_or_request_with_http_token do |token, options|
# ...
end
end
end
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch placed in an initializer can be used to work around the issue:
module ActionController::HttpAuthentication::Token
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-2-http-authentication-dos.patch - Patch for 5.2 series
- 6-0-http-authentication-dos.patch - Patch for 6.0 series
- 6-1-http-authentication-dos.patch - Patch for 6.1 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!
ReDoS based DoS vulnerability in Action Dispatch
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/advisories/GHSA-8xww-x3g3-6jcv
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://nvd.nist.gov/vuln/detail/CVE-2023-22795
- https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases
The FIXED releases are available at the normal locations. Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Cross-site Scripting in actionpack
- https://nvd.nist.gov/vuln/detail/CVE-2022-3704
- https://github.com/rails/rails/issues/46244
- https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
- https://vuldb.com/?id.212319
- https://github.com/rails/rails/pull/46269
- https://github.com/advisories/GHSA-9chr-4fjh-5rgw
- https://github.com/rails/rails/issues/46244#issuecomment-1380875153
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.
This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.
Denial of Service in Action Dispatch
- https://github.com/rails/rails/releases/tag/v6.0.3.7
- https://nvd.nist.gov/vuln/detail/CVE-2021-22902
- https://github.com/advisories/GHSA-g8ww-46x2-2p65
- https://github.com/rails/rails/releases/tag/v6.1.3.2
- https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c
- https://hackerone.com/reports/1138654
- https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml
Impact
There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch placed in an initializer can be used to work around the issue.
module Mime
class Type
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
end
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series
- 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks to Security Curious security...@pm.me for reporting this!
Action Pack contains Information Disclosure / Unintended Method Execution vulnerability
- https://github.com/rails/rails/releases/tag/v5.2.4.6
- https://nvd.nist.gov/vuln/detail/CVE-2021-22885
- https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
- https://github.com/rails/rails/releases/tag/v5.2.6
- https://github.com/rails/rails/releases/tag/v6.0.3.7
- https://github.com/rails/rails/releases/tag/v6.1.3.2
- https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
- https://hackerone.com/reports/1106652
- https://www.debian.org/security/2021/dsa-4929
- https://security.netapp.com/advisory/ntap-20210805-0009/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
Impact
There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to
or polymorphic_url
helper with untrusted user input.
Vulnerable code will look like this.
redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example,
private def check(param)
case param
when "valid"
param
else
"/"
end
end
def index
redirect_to(check(params[:some_param]))
end
Or force the user input to be cast to a string like this,
def index
redirect_to(params[:some_param].to_s)
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-2-information-disclosure.patch - Patch for 5.2 series
- 6-0-information-disclosure.patch - Patch for 6.0 series
- 6-1-information-disclosure.patch - Patch for 6.1 series
Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks to Benoit Côté-Jodoin from Shopify for reporting this.
Cross-site Scripting Vulnerability in Action Pack
- https://nvd.nist.gov/vuln/detail/CVE-2022-22577
- https://github.com/rails/rails/pull/44635
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
- https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
- https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
- https://github.com/advisories/GHSA-mm33-5vfq-3mm3
- https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://security.netapp.com/advisory/ntap-20221118-0002/
- https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
- https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
- https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
- https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
- https://www.debian.org/security/2023/dsa-5372
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
CSP headers were only sent along with responses that Rails considered as
HTML
responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Set a CSP for your API responses manually.
ReDoS based DoS vulnerability in Action Dispatch
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/advisories/GHSA-p84v-45xj-wwqj
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://nvd.nist.gov/vuln/detail/CVE-2023-22792
- https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
- https://security.netapp.com/advisory/ntap-20240202-0007/
- https://www.debian.org/security/2023/dsa-5372
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.
Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1 Impact
Specially crafted cookies, in combination with a specially crafted XFORWARDEDHOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases
The FIXED releases are available at the normal locations. Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious XFORWARDEDHOST headers before they reach the application. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 6.1 series
7-0-Use-string-split-instead-of-regex-for-domain-parts.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
actionpack Open Redirect in Host Authorization Middleware
- https://nvd.nist.gov/vuln/detail/CVE-2021-44528
- https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ?utm_medium=email&utm_source=footer
- https://github.com/rails/rails/commit/aecba3c301b80e9d5a63c30ea1b287bceaf2c107
- https://github.com/rails/rails/blob/v6.1.4.2/actionpack/CHANGELOG.md#rails-6142-december-14-2021
- https://github.com/advisories/GHSA-qphc-hf5q-v8fc
- https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-44528.yml
- https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ
- https://www.debian.org/security/2023/dsa-5372
- https://security.netapp.com/advisory/ntap-20240208-0003/
Specially crafted X-Forwarded-Host
headers in combination with certain allowed host
formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.
Releases
The fixed releases are available at the normal locations.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
- 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
- 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Exposure of information in Action Pack
- https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
- https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
- https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
- https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
- https://nvd.nist.gov/vuln/detail/CVE-2022-23633
- http://www.openwall.com/lists/oss-security/2022/02/11/5
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
- https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
- https://security.netapp.com/advisory/ntap-20240119-0013/
Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close
, ActionDispatch::Executor
will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes
.
Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
Possible Information Disclosure / Unintended Method Execution in Action Pack
There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885.
Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to
or polymorphic_url
helper with untrusted user input.
Vulnerable code will look like this:
redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example:
private def check(param)
case param
when "valid"
param
else
"/"
end
end
def index
redirect_to(check(params[:some_param]))
end
Or force the user input to be cast to a string like this:
def index
redirect_to(params[:some_param].to_s)
end
Possible Denial of Service vulnerability in Action Dispatch
There is a possible Denial of Service vulnerability in the Mime type parser of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2021-22902.
Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.7, 6.1.3.2
Impact
There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
Workarounds
The following monkey patch placed in an initializer can be used to work around the issue:
module Mime
class Type
MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
end
end
Possible Open Redirect Vulnerability in Action Pack
There is a possible Open Redirect Vulnerability in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22903.
Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2
Impact
This is similar to CVE-2021-22881: Specially crafted Host headers in
combination with certain allowed host
formats can cause the Host
Authorization middleware in Action Pack to redirect users to a malicious
website.
Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading
dot are converted to regular expressions without proper escaping. This causes,
for example, config.hosts << sub.example.com
to permit a request with a Host
header value of sub-example.com.
Workarounds
The following monkey patch put in an initializer can be used as a workaround:
class ActionDispatch::HostAuthorization::Permissions
def sanitize_string(host)
if host.start_with?(".")
/\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
else
/\A#{Regexp.escape host}\z/i
end
end
end
Possible DoS Vulnerability in Action Controller Token Authentication
There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2021-22904.
Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
Impacted code uses authenticate_or_request_with_http_token
or
authenticate_with_http_token
for request authentication. Impacted code will
look something like this:
class PostsController < ApplicationController
before_action :authenticate
private
def authenticate
authenticate_or_request_with_http_token do |token, options|
# ...
end
end
end
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
The following monkey patch placed in an initializer can be used to work around the issue:
module ActionController::HttpAuthentication::Token
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22942.
Versions Affected: >= 6.0.0. Not affected: < 6.0.0 Fixed Versions: 6.1.4.1, 6.0.4.1
Impact
Specially crafted “X-Forwarded-Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881, but CVE-2021-22881 did not take in to account domain name case sensitivity.
Releases
The fixed releases are available at the normal locations.
Workarounds
In the case a patch can’t be applied, the following monkey patch can be used in an initializer:
module ActionDispatch
class HostAuthorization
HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
private
def authorized?(request)
origin_host =
request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
forwarded_host =
request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
@permissions.allows?(origin_host) &&
(forwarded_host.blank? || @permissions.allows?(forwarded_host))
end
end
end
Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack.
Specially crafted X-Forwarded-Host
headers in combination with certain
allowed host
formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.
Releases
The fixed releases are available at the normal locations.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
- 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
- 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Possible XSS Vulnerability in Action Pack
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
CSP headers were only sent along with responses that Rails considered as
HTML
responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Set a CSP for your API responses manually.
Possible exposure of information vulnerability in Action Pack
Impact
Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack
middleware. In the event a response is not notified of a close
,
ActionDispatch::Executor
will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes
.
Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.
Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
Specially crafted cookies, in combination with a specially crafted XFORWARDEDHOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious XFORWARDEDHOST headers before they reach the application.
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Possible XSS via User Supplied Values to redirect_to
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.
467 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
6.1.0.rc1 | MIT | 15 | 2020-11-02 - 21:20 | over 3 years |
6.0.3.4 | MIT | 23 | 2020-10-07 - 16:50 | over 3 years |
6.0.3.3 | MIT | 25 | 2020-09-09 - 18:24 | over 3 years |
6.0.3.2 | MIT | 25 | 2020-06-17 - 14:54 | almost 4 years |
6.0.3.1 | MIT | 27 | 2020-05-18 - 15:47 | about 4 years |
6.0.3 | MIT | 31 | 2020-05-06 - 18:04 | about 4 years |
6.0.3.rc1 | MIT | 31 | 2020-05-01 - 17:18 | about 4 years |
6.0.2.2 | MIT | 31 | 2020-03-19 - 16:43 | about 4 years |
6.0.2.1 | MIT | 31 | 2019-12-18 - 19:08 | over 4 years |
6.0.2 | MIT | 31 | 2019-12-13 - 18:20 | over 4 years |
6.0.2.rc2 | MIT | 31 | 2019-12-09 - 16:12 | over 4 years |
6.0.2.rc1 | MIT | 31 | 2019-11-27 - 15:11 | over 4 years |
6.0.1 | MIT | 31 | 2019-11-05 - 14:39 | over 4 years |
6.0.1.rc1 | MIT | 31 | 2019-10-31 - 20:05 | over 4 years |
6.0.0 | MIT | 31 | 2019-08-16 - 18:00 | almost 5 years |
6.0.0.rc2 | MIT | 12 | 2019-07-22 - 21:10 | almost 5 years |
6.0.0.rc1 | MIT | 12 | 2019-04-24 - 18:51 | about 5 years |
6.0.0.beta3 | MIT | 12 | 2019-03-13 - 17:02 | about 5 years |
6.0.0.beta2 | MIT | 12 | 2019-02-25 - 22:45 | about 5 years |
6.0.0.beta1 | MIT | 12 | 2019-01-18 - 20:46 | over 5 years |
5.2.4.4 | MIT | 13 | 2020-09-09 - 18:36 | over 3 years |
5.2.4.3 | MIT | 13 | 2020-05-18 - 15:42 | about 4 years |
5.2.4.2 | MIT | 17 | 2020-03-19 - 16:37 | about 4 years |
5.2.4.1 | MIT | 17 | 2019-12-18 - 19:02 | over 4 years |
5.2.4 | MIT | 17 | 2019-11-27 - 15:46 | over 4 years |
5.2.4.rc1 | MIT | 17 | 2019-11-23 - 00:28 | over 4 years |
5.2.3 | MIT | 17 | 2019-03-28 - 03:02 | about 5 years |
5.2.3.rc1 | MIT | 17 | 2019-03-22 - 03:34 | about 5 years |
5.2.2.1 | MIT | 17 | 2019-03-13 - 16:47 | about 5 years |
5.2.2 | MIT | 17 | 2018-12-04 - 18:13 | over 5 years |
5.2.2.rc1 | MIT | 17 | 2018-11-28 - 22:54 | over 5 years |
5.2.1.1 | MIT | 17 | 2018-11-27 - 20:13 | over 5 years |
5.2.1 | MIT | 17 | 2018-08-07 - 21:43 | almost 6 years |
5.2.1.rc1 | MIT | 17 | 2018-07-30 - 20:20 | almost 6 years |
5.2.0 | MIT | 17 | 2018-04-09 - 20:05 | about 6 years |
5.2.0.rc2 | MIT | 15 | 2018-03-20 - 17:53 | about 6 years |
5.2.0.rc1 | MIT | 15 | 2018-01-30 - 23:37 | over 6 years |
5.2.0.beta2 | MIT | 15 | 2017-11-28 - 05:03 | over 6 years |
5.2.0.beta1 | MIT | 15 | 2017-11-27 - 18:04 | over 6 years |
5.1.7 | MIT | 17 | 2019-03-28 - 02:47 | about 5 years |
5.1.7.rc1 | MIT | 17 | 2019-03-22 - 04:12 | about 5 years |
5.1.6.2 | MIT | 17 | 2019-03-13 - 16:45 | about 5 years |
5.1.6.1 | MIT | 17 | 2018-11-27 - 20:11 | over 5 years |
5.1.6 | MIT | 17 | 2018-03-29 - 18:28 | about 6 years |
5.1.5 | MIT | 17 | 2018-02-14 - 20:00 | over 6 years |
5.1.5.rc1 | MIT | 17 | 2018-02-01 - 18:59 | over 6 years |
5.1.4 | MIT | 17 | 2017-09-08 - 00:50 | over 6 years |
5.1.4.rc1 | MIT | 17 | 2017-08-24 - 19:36 | over 6 years |
5.1.3 | MIT | 17 | 2017-08-03 - 19:14 | almost 7 years |
5.1.3.rc3 | MIT | 17 | 2017-07-31 - 19:11 | almost 7 years |
5.1.3.rc2 | MIT | 17 | 2017-07-25 - 20:17 | almost 7 years |
5.1.3.rc1 | MIT | 17 | 2017-07-19 - 19:37 | almost 7 years |
5.1.2 | MIT | 17 | 2017-06-26 - 21:50 | almost 7 years |
5.1.2.rc1 | MIT | 17 | 2017-06-20 - 17:03 | almost 7 years |
5.1.1 | MIT | 17 | 2017-05-12 - 20:10 | about 7 years |
5.1.0 | MIT | 17 | 2017-04-27 - 20:59 | about 7 years |
5.1.0.rc2 | MIT | 17 | 2017-04-21 - 01:30 | about 7 years |
5.1.0.rc1 | MIT | 17 | 2017-03-20 - 18:57 | about 7 years |
5.1.0.beta1 | MIT | 17 | 2017-02-23 - 19:57 | about 7 years |
5.0.7.2 | MIT | 17 | 2019-03-13 - 16:40 | about 5 years |
5.0.7.1 | MIT | 17 | 2018-11-27 - 20:08 | over 5 years |
5.0.7 | MIT | 17 | 2018-03-29 - 17:58 | about 6 years |
5.0.6 | MIT | 17 | 2017-09-08 - 00:46 | over 6 years |
5.0.6.rc1 | MIT | 17 | 2017-08-24 - 19:10 | over 6 years |
5.0.5 | MIT | 17 | 2017-07-31 - 19:04 | almost 7 years |
5.0.5.rc2 | MIT | 17 | 2017-07-25 - 20:25 | almost 7 years |
5.0.5.rc1 | MIT | 17 | 2017-07-19 - 19:43 | almost 7 years |
5.0.4 | MIT | 17 | 2017-06-19 - 21:58 | almost 7 years |
5.0.4.rc1 | MIT | 17 | 2017-06-14 - 20:48 | almost 7 years |
5.0.3 | MIT | 17 | 2017-05-12 - 20:03 | about 7 years |
5.0.2 | MIT | 17 | 2017-03-01 - 23:13 | about 7 years |
5.0.2.rc1 | MIT | 17 | 2017-02-25 - 00:55 | about 7 years |
5.0.1 | MIT | 17 | 2016-12-21 - 00:06 | over 7 years |
5.0.1.rc2 | MIT | 17 | 2016-12-09 - 19:12 | over 7 years |
5.0.1.rc1 | MIT | 17 | 2016-11-30 - 20:01 | over 7 years |
5.0.0.1 | MIT | 17 | 2016-08-11 - 17:32 | almost 8 years |
5.0.0 | MIT | 18 | 2016-06-30 - 21:21 | almost 8 years |
5.0.0.rc2 | MIT | 13 | 2016-06-22 - 20:02 | almost 8 years |
5.0.0.rc1 | MIT | 13 | 2016-05-06 - 21:56 | about 8 years |
5.0.0.racecar1 | MIT | 17 | 2016-05-06 - 22:01 | about 8 years |
5.0.0.beta4 | MIT | 13 | 2016-04-27 - 20:54 | about 8 years |
5.0.0.beta3 | MIT | 13 | 2016-02-24 - 16:15 | about 8 years |
5.0.0.beta2 | MIT | 13 | 2016-02-01 - 22:05 | over 8 years |
5.0.0.beta1.1 | MIT | 13 | 2016-01-25 - 19:23 | over 8 years |
5.0.0.beta1 | MIT | 13 | 2015-12-18 - 21:17 | over 8 years |
4.2.11.3 | MIT | 13 | 2020-05-15 - 18:35 | about 4 years |
4.2.11.2 | MIT | 13 | 2020-05-15 - 16:30 | about 4 years |
4.2.11.1 | MIT | 13 | 2019-03-13 - 16:37 | about 5 years |
4.2.11 | MIT | 13 | 2018-11-27 - 20:06 | over 5 years |
4.2.10 | MIT | 13 | 2017-09-27 - 14:28 | over 6 years |
4.2.10.rc1 | MIT | 13 | 2017-09-20 - 19:41 | over 6 years |
4.2.9 | MIT | 13 | 2017-06-26 - 21:30 | almost 7 years |
4.2.9.rc2 | MIT | 13 | 2017-06-19 - 22:27 | almost 7 years |
4.2.9.rc1 | MIT | 13 | 2017-06-13 - 18:49 | almost 7 years |
4.2.8 | MIT | 13 | 2017-02-21 - 16:08 | about 7 years |
4.2.8.rc1 | MIT | 13 | 2017-02-10 - 02:45 | over 7 years |
4.2.7.1 | MIT | 13 | 2016-08-11 - 17:31 | almost 8 years |
4.2.7 | MIT | 14 | 2016-07-13 - 02:55 | almost 8 years |
4.2.7.rc1 | MIT | 14 | 2016-07-01 - 00:32 | almost 8 years |
4.2.6 | MIT | 14 | 2016-03-07 - 22:32 | about 8 years |