Bugzilla – Bug 1182160
VUL-0: CVE-2021-22881: rubygem-actionpack: open redirect vulnerability via `Host` headers
Last modified: 2021-02-12 08:37:44 UTC
The Host Authorization middleware in Action Pack before 220.127.116.11, 18.104.22.168 suffers
from an open redirect vulnerability. Specially crafted `Host` headers in
combination with certain "allowed host" formats can cause the Host Authorization
middleware in Action Pack to redirect users to a malicious website. Impacted
applications will have allowed hosts with a leading dot. When an allowed host
contains a leading dot, a specially crafted `Host` header can be used to
redirect to a malicious website.
Not affected: < 6.0.0
Fixed Versions: 22.214.171.124, 126.96.36.199
Only Factory is affected. All SUSE and openSUSE versions are prior 6.0.0.