VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-msda-xqbp-qfdd

Essentials
Severities (27)
References (12)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-msda-xqbp-qfdd
Aliases	CVE-2021-22903 GHSA-5hq2-xf89-9jxq
Summary	Possible Open Redirect Vulnerability in Action Pack There is a possible Open Redirect Vulnerability in Action Pack. Versions Affected: >= v6.1.0.rc2 Not affected: < v6.1.0.rc2 Fixed Versions: 6.1.3.2 Impact ------ This is similar to CVE-2021-22881. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Since rails/rails@9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch put in an initializer can be used as a workaround. ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize_string(host) if host.start_with?(".") /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i else /\A#{Regexp.escape host}\z/i end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-1-open-redirect.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks Jonathan Hefner (https://hackerone.com/jonathanhefner) for reporting this bug!
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
epss	0.00151	https://api.first.org/data/v1/epss?cve=CVE-2021-22903
cvssv3.1	6.1	https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
generic_textual	MODERATE	https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
cvssv3.1	6.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-5hq2-xf89-9jxq
cvssv3.1	6.1	https://github.com/rails/rails/releases/tag/v6.1.3.2
generic_textual	MODERATE	https://github.com/rails/rails/releases/tag/v6.1.3.2
cvssv3.1	6.1	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
cvssv3	6.1	https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
cvssv3.1	6.1	https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
generic_textual	MODERATE	https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
cvssv3.1	6.1	https://hackerone.com/reports/1148025
generic_textual	MODERATE	https://hackerone.com/reports/1148025
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2021-22903
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2021-22903
archlinux	Medium	https://security.archlinux.org/AVG-1919

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json
		https://api.first.org/data/v1/epss?cve=CVE-2021-22903
		https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rails/rails/releases/tag/v6.1.3.2
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml
		https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0
		https://hackerone.com/reports/1148025
		https://nvd.nist.gov/vuln/detail/CVE-2021-22903
1957438		https://bugzilla.redhat.com/show_bug.cgi?id=1957438
AVG-1919		https://security.archlinux.org/AVG-1919
GHSA-5hq2-xf89-9jxq		https://github.com/advisories/GHSA-5hq2-xf89-9jxq

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22903.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/releases/tag/v6.1.3.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://hackerone.com/reports/1148025

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-22903

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.35693
EPSS Score	0.00151
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:02:54.348574+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-5hq2-xf89-9jxq/GHSA-5hq2-xf89-9jxq.json	38.0.0