CVE-2021-22903

Name of the Vulnerable Software and Affected Versions actionpack ruby gem versions prior to 6.1.3.2

Description The issue is related to the conversion of strings in config.hosts to regular expressions without proper escaping, which can lead to an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. For example, if config.hosts includes a string like "sub.example.com" without a leading dot, it can permit a request with a Host header value of "sub-example.com". This vulnerability is similar to a previously known issue.

Recommendations To resolve the issue, update the actionpack ruby gem to version 6.1.3.2 or later. For versions prior to 6.1.3.2, a monkey patch can be applied as a workaround by adding the following code to an initializer:

class ActionDispatch::HostAuthorization::Permissions
 def sanitize string(host)
  if host.start with?(".")
   /A(.+.)?#{Regexp.escape(host[1..-1])}z/i
  else
   /A#{Regexp.escape host}z/i
  end
 end
end

Patches are also available for the 6.1 series.