VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-gjey-bqtd-kqa1

Essentials
Severities (27)
References (21)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-gjey-bqtd-kqa1
Aliases	CVE-2021-22885 GHSA-hjg4-8q5f-x6fm
Summary	Action Pack contains Information Disclosure / Unintended Method Execution vulnerability Impact ------ There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input. Vulnerable code will look like this. ``` redirect_to(params[:some_param]) ``` All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example, ```ruby private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end ``` Or force the user input to be cast to a string like this, ```ruby def index redirect_to(params[:some_param].to_s) end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-information-disclosure.patch - Patch for 5.2 series * 6-0-information-disclosure.patch - Patch for 6.0 series * 6-1-information-disclosure.patch - Patch for 6.1 series Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Benoit Côté-Jodoin from Shopify for reporting this.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-200	Exposure of Sensitive Information to an Unauthorized Actor
CWE-209	Generation of Error Message Containing Sensitive Information
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
epss	0.03096	https://api.first.org/data/v1/epss?cve=CVE-2021-22885
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
cvssv3	7.5	https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
cvssv3.1	7.5	https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
generic_textual	HIGH	https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
cvssv3.1	7.5	https://hackerone.com/reports/1106652
generic_textual	HIGH	https://hackerone.com/reports/1106652
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2021-22885
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2021-22885
archlinux	Medium	https://security.archlinux.org/AVG-1920
archlinux	Medium	https://security.archlinux.org/AVG-1921
archlinux	Medium	https://security.archlinux.org/AVG-2090
archlinux	Medium	https://security.archlinux.org/AVG-2223
cvssv3.1	7.5	https://security.netapp.com/advisory/ntap-20210805-0009
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20210805-0009

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-22885
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml
		https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
		https://hackerone.com/reports/1106652
		https://nvd.nist.gov/vuln/detail/CVE-2021-22885
		https://security.netapp.com/advisory/ntap-20210805-0009
		https://security.netapp.com/advisory/ntap-20210805-0009/
		https://www.debian.org/security/2021/dsa-4929
1957441		https://bugzilla.redhat.com/show_bug.cgi?id=1957441
988214		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
AVG-1920		https://security.archlinux.org/AVG-1920
AVG-1921		https://security.archlinux.org/AVG-1921
AVG-2090		https://security.archlinux.org/AVG-2090
AVG-2223		https://security.archlinux.org/AVG-2223
GHSA-hjg4-8q5f-x6fm		https://github.com/advisories/GHSA-hjg4-8q5f-x6fm
RHSA-2021:4702		https://access.redhat.com/errata/RHSA-2021:4702

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://hackerone.com/reports/1106652

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22885

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20210805-0009

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.86736
EPSS Score	0.03096
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:02:58.564820+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hjg4-8q5f-x6fm/GHSA-hjg4-8q5f-x6fm.json	38.0.0