CVE-2021-22881

Beschreibung:
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain „allowed host“ formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

CWE: CWE-601

CVSS-Bewertung
CVSS 2: MEDIUM – 5.8 (Version: 2.0)
CVSS 3: MEDIUM – 6.1 (Version: 3.1)

Links:

NVD – CVE-2021-22881
CVE – CVE-2021-22881

Link (max. 20) Quelle Tags
https://hackerone.com/reports/1047447 MISC Exploit Patch Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130 MISC Mitigation Patch Vendor Advisory
https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization/ MISC Patch Third Party Advisory
FEDORA-2021-b571fca1b8 FEDORA Mailing List Third Party Advisory
[oss-security] 20210505 [CVE-2021-22903] Possible Open Redirect Vulnerability in Action Pack MLIST Mailing List Vendor Advisory
[hbase-issues] 20210215 [GitHub] [hbase] pankaj72981 edited a comment on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210215 [jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210215 [GitHub] [hbase] apurtell edited a comment on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210215 [GitHub] [hbase] apurtell commented on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210216 [jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[thrift-user] 20210217 Apache Thrift 0.14.0 Release not on Maven central MLIST Mailing List Vendor Advisory
[thrift-user] 20210224 Re: [SECURITY] CVE-2020-13949 Announcement MLIST Mailing List Vendor Advisory
[hbase-issues] 20210301 [GitHub] [hbase] Apache-HBase commented on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Exploit Mailing List Vendor Advisory
[hbase-issues] 20210302 [GitHub] [hbase] Apache-HBase commented on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Exploit Mailing List Vendor Advisory
[hbase-issues] 20210302 [jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210302 [jira] [Updated] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210302 [GitHub] [hbase] Apache9 commented on a change in pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210302 [GitHub] [hbase] pankaj72981 commented on a change in pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210303 [GitHub] [hbase] Apache-HBase commented on pull request #2958: HBASE-25568 Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory
[hbase-issues] 20210308 [jira] [Commented] (HBASE-25568) Upgrade Thrift jar to fix CVE-2020-13949 MLIST Mailing List Vendor Advisory

Quelle: NVD – CVE-2021-22881
Datum Veröffentlichung: 2021-02-11T18:15Z, Datum letzte Änderung: 2021-05-06T14:15Z