CVE-2023-22797

Name of the Vulnerable Software and Affected Versions Rails versions prior to 7.0.4.1

Description The issue is related to an open redirect vulnerability in Rails, where an attacker could bypass the protection against open redirects by using a carefully crafted URL, resulting in an open redirect vulnerability. This occurs when the redirect to helper is used with untrusted user input. The vulnerability can be exploited by a remote attacker to redirect users to an arbitrary URL.

Recommendations For versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the provided patch for the 7.0 series, 7-0-Fix-sec-issue-with- url host allowed.patch. As a temporary workaround, consider validating and sanitizing user input for the redirect to helper to minimize the risk of exploitation. Avoid using the params[:some param] in the redirect to helper until the issue is resolved.