Upgrade rails/actionpack to 6.1.4.1 to resolve CVE-2021-22942

A customer scan brought to our attention that a new version of Rails (along with the actionpack gem) is out which fixes CVE-2021-22942:

Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Via the google groups thread:

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

It doesn't look like the GitLab application has any configurations like that by default, so this will be set at a lower severity/priority. We will still need to upgrade in order to make sure our customer scans aren't detecting this.

Resources

• google groups thread
• The actionpack repository changelog
• NIST page (note, as of August 23 2021 this page did not have any information)
• Redhat customer portal and bugzilla