Bugzilla – Bug 1182160
VUL-0: CVE-2021-22881: rubygem-actionpack: open redirect vulnerability via `Host` headers
Last modified: 2021-02-12 08:37:44 UTC
The Host Authorization middleware in Action Pack before 126.96.36.199, 188.8.131.52 suffers
from an open redirect vulnerability. Specially crafted `Host` headers in
combination with certain "allowed host" formats can cause the Host Authorization
middleware in Action Pack to redirect users to a malicious website. Impacted
applications will have allowed hosts with a leading dot. When an allowed host
contains a leading dot, a specially crafted `Host` header can be used to
redirect to a malicious website.
Not affected: < 6.0.0
Fixed Versions: 184.108.40.206, 220.127.116.11
Only Factory is affected. All SUSE and openSUSE versions are prior 6.0.0.