CVE-2021-22903: 
Ruby vulnerability analysis and mitigation

The actionpack ruby gem before version 6.1.3.2 contains an open redirect vulnerability (CVE-2021-22903). The vulnerability affects versions >= v6.1.0.rc2 and was discovered in May 2021. The issue lies in the Host Authorization middleware in Action Pack, where specially crafted Host headers combined with certain "allowed host" formats can cause users to be redirected to malicious websites (Ruby Rails Discussion, Openwall).

The vulnerability stems from improper string handling in the Host Authorization middleware. Since a specific commit (rails/rails@9bc7ea5), strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. For example, when config.hosts << "sub.example.com" is set, the system incorrectly permits requests with a Host header value of sub-example.com. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers to redirect users to malicious websites through specially crafted Host headers. This is particularly concerning as it could be used in phishing attacks or other malicious redirect scenarios (Ruby Rails Discussion).

The vulnerability has been fixed in version 6.1.3.2. For users unable to upgrade immediately, a workaround is available through a monkey patch that can be placed in an initializer. The patch modifies the sanitize_string method in the ActionDispatch::HostAuthorization::Permissions class to properly escape regular expressions (Ruby Rails Discussion).