Upgrade rails/actionpack to 6.1.4.1 to resolve CVE-2021-22942
A customer scan brought to our attention that a new version of Rails (along with the actionpack
gem) is out which fixes CVE-2021-22942
:
Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Via the google groups thread:
Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:
config.hosts << '.EXAMPLE.com'
It doesn't look like the GitLab application has any configurations like that by default, so this will be set at a lower severity/priority. We will still need to upgrade in order to make sure our customer scans aren't detecting this.
Resources
- google groups thread
- The actionpack repository changelog
- NIST page (note, as of August 23 2021 this page did not have any information)
- Redhat customer portal and bugzilla