CVE Vulnerability

CVE-2023-22797

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127 Not Applicable
Configurations

Configuration 1

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:actionpack_project:actionpack:*:*:*:*:*:ruby:*:*
Information

Published : 2023-02-09 08:15

Updated : 2023-02-21 03:50

NVD link : CVE-2023-22797

Mitre link : CVE-2023-22797

Products Affected

Rails

Rubyonrails

CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')