CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2305 vulnerabilities reference this CWE, most recent first.
GHSA-92J7-WGMG-F32M
Vulnerability from github – Published: 2026-02-03 20:58 – Updated: 2026-02-04 17:45Summary
Description An Open Redirect (CWE-601) vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.
Impact
Qwik City automatically applies the fixTrailingSlash middleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).
Exploitation allows an attacker to craft links that trigger a 301 redirect to arbitrary protocol-relative URLs. Browsers interpret this Location header as a protocol-relative URL, redirecting the user to attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.
Patches
This has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@builder.io/qwik-city"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25149"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T20:58:25Z",
"nvd_published_at": "2026-02-03T22:16:30Z",
"severity": "LOW"
},
"details": "### Summary\n\n**Description**\nAn Open Redirect (CWE-601) vulnerability in Qwik City\u0027s default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This affects qwik-city before version 1.19.0. This has been patched in qwik-city version 1.19.0.\n\n### Impact\nQwik City automatically applies the\u00a0`fixTrailingSlash`\u00a0middleware to page routes to ensure URL consistency. This vulnerability impacts all Qwik City applications deployed to runtimes that have a catch-all path to match arbitrary domains and that do not automatically normalize URL paths (e.g. Bun).\n\nExploitation allows an attacker to craft links that trigger a 301 redirect to\u00a0arbitrary protocol-relative URLs. Browsers interpret this\u00a0Location\u00a0header as a protocol-relative URL, redirecting the user to\u00a0attacker-controlled domains. This can enable phishing attacks and token theft among other common open redirect exploits.\n\n### Patches\nThis has been patched in qwik-city version 1.19.0. Users are strongly encouraged to update to the latest available release.",
"id": "GHSA-92j7-wgmg-f32m",
"modified": "2026-02-04T17:45:51Z",
"published": "2026-02-03T20:58:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25149"
},
{
"type": "WEB",
"url": "https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/QwikDev/qwik"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U",
"type": "CVSS_V4"
}
],
"summary": "Qwik City Open Redirect via fixTrailingSlash"
}
GHSA-92M7-4FPW-2WXM
Vulnerability from github – Published: 2026-06-10 15:31 – Updated: 2026-06-10 18:31Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.
{
"affected": [],
"aliases": [
"CVE-2026-53440"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T14:16:36Z",
"severity": "MODERATE"
},
"details": "Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the \"from\" parameter in the \"Delegate to servlet container\" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain.",
"id": "GHSA-92m7-4fpw-2wxm",
"modified": "2026-06-10T18:31:45Z",
"published": "2026-06-10T15:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53440"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-06-10/#SECURITY-3721"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92RF-VJV9-RRJM
Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-08-08 21:30A vulnerability, which was classified as problematic, was found in zlt2000 microservices-platform up to 6.0.0. This affects the function onLogoutSuccess of the file src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java. The manipulation of the argument redirect_url leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8737"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T20:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as problematic, was found in zlt2000 microservices-platform up to 6.0.0. This affects the function onLogoutSuccess of the file src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java. The manipulation of the argument redirect_url leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-92rf-vjv9-rrjm",
"modified": "2025-08-08T21:30:41Z",
"published": "2025-08-08T21:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8737"
},
{
"type": "WEB",
"url": "https://github.com/zlt2000/microservices-platform/issues/78"
},
{
"type": "WEB",
"url": "https://github.com/zlt2000/microservices-platform/issues/78#issue-3264847333"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.319233"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.319233"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.623477"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9349-RR4X-VWCG
Vulnerability from github – Published: 2025-01-24 21:31 – Updated: 2025-01-24 21:31A vulnerability has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this vulnerability is the function qrCode of the file src/main/java/io/github/controller/QrCodeController.java. The manipulation of the argument text leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.
{
"affected": [],
"aliases": [
"CVE-2025-0705"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-24T19:15:13Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d and classified as problematic. Affected by this vulnerability is the function qrCode of the file src/main/java/io/github/controller/QrCodeController.java. The manipulation of the argument text leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.",
"id": "GHSA-9349-rr4x-vwcg",
"modified": "2025-01-24T21:31:28Z",
"published": "2025-01-24T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0705"
},
{
"type": "WEB",
"url": "https://github.com/JoeyBling/bootplus/issues/27"
},
{
"type": "WEB",
"url": "https://github.com/JoeyBling/bootplus/issues/27#issue-2786941847"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.293233"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.293233"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.480844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-936G-QJ35-5658
Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-07 18:30In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can redirect users to malicious pages through the login page.
{
"affected": [],
"aliases": [
"CVE-2024-21794"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-02T00:15:54Z",
"severity": "MODERATE"
},
"details": "In Rapid Software LLC\u0027s Rapid SCADA versions prior to\u00a0Version 5.8.4,\u00a0an attacker can redirect users to malicious pages through the login page.\n",
"id": "GHSA-936g-qj35-5658",
"modified": "2024-02-07T18:30:27Z",
"published": "2024-02-02T00:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21794"
},
{
"type": "WEB",
"url": "https://rapidscada.org/contact"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9394-RW2Q-X5M7
Vulnerability from github – Published: 2024-11-04 21:30 – Updated: 2025-01-16 06:31Bruno before 1.29.1 uses Electron shell.openExternal without validation (of http or https) for opening windows within the Markdown docs viewer.
{
"affected": [],
"aliases": [
"CVE-2024-48463"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T21:15:04Z",
"severity": "MODERATE"
},
"details": "Bruno before 1.29.1 uses Electron shell.openExternal without validation (of http or https) for opening windows within the Markdown docs viewer.",
"id": "GHSA-9394-rw2q-x5m7",
"modified": "2025-01-16T06:31:10Z",
"published": "2024-11-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48463"
},
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/pull/3122"
},
{
"type": "WEB",
"url": "https://gist.github.com/opcod3r/ab69f36d52367df7ffac32a597dff31c"
},
{
"type": "WEB",
"url": "https://github.com/usebruno/bruno/releases/tag/v1.29.1"
},
{
"type": "WEB",
"url": "https://www.usebruno.com/changelog"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-93HW-75C6-JQV2
Vulnerability from github – Published: 2025-01-27 21:30 – Updated: 2025-01-28 21:31An issue in Tianjin Xiaowu Information technology Co., Ltd BeiKe Holdings iOS 1.3.50 allows attackers to access sensitive user information via supplying a crafted link.
{
"affected": [],
"aliases": [
"CVE-2024-56960"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T19:15:17Z",
"severity": "MODERATE"
},
"details": "An issue in Tianjin Xiaowu Information technology Co., Ltd BeiKe Holdings iOS 1.3.50 allows attackers to access sensitive user information via supplying a crafted link.",
"id": "GHSA-93hw-75c6-jqv2",
"modified": "2025-01-28T21:31:02Z",
"published": "2025-01-27T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56960"
},
{
"type": "WEB",
"url": "https://github.com/ZhouZiyi1/Vuls/blob/main/241226-BeiKeHoldings/241226-BeiKeHoldings.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-93M4-MFPG-C3XF
Vulnerability from github – Published: 2025-05-28 17:36 – Updated: 2025-05-30 15:26Impact
A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.
If an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.
It's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.
Patches
Patched version ensure proper validation of the headers and do not allow downgrading from https to http.
3.x versions are fixed on >=3.2.2 2.71.x versions are fixed on >=2.71.11 2.x versions are fixed on >=2.70.12
Workarounds
The recommended solution is to update ZITADEL to a patched version.
A ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.
Questions
If you have any questions or comments about this advisory, please email us at security@zitadel.com
Credits
Thanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250528081227-c097887bc5f6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.38.3"
},
{
"fixed": "2.70.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-rc1"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.71.10"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.71.0"
},
{
"fixed": "2.71.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.38.2-0.20240919104753-94d1eb767837"
},
"package": {
"ecosystem": "Go",
"name": "github.com/zitadel/zitadel/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48936"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T17:36:55Z",
"nvd_published_at": "2025-05-30T07:15:24Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA potential vulnerability exists in ZITADEL\u0027s password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.\n\nIf an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user\u0027s password and gain unauthorized access to their account.\n\nIt\u0027s important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.\n\n### Patches\n\nPatched version ensure proper validation of the headers and do not allow downgrading from https to http.\n\n3.x versions are fixed on \u003e=[3.2.2](https://github.com/zitadel/zitadel/releases/tag/v3.2.2)\n2.71.x versions are fixed on \u003e=[2.71.11](https://github.com/zitadel/zitadel/releases/tag/v2.71.11)\n2.x versions are fixed on \u003e=[2.70.12](https://github.com/zitadel/zitadel/releases/tag/v2.70.12)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nA ZITADEL fronting proxy can be configured to delete all Forwarded and X-Forwarded-Host header values before sending requests to ZITADEL self-hosted environments.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Amit Laish \u2013 GE Vernova for finding and reporting the vulnerability.",
"id": "GHSA-93m4-mfpg-c3xf",
"modified": "2025-05-30T15:26:11Z",
"published": "2025-05-28T17:36:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-93m4-mfpg-c3xf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48936"
},
{
"type": "WEB",
"url": "https://github.com/zitadel/zitadel/commit/c097887bc5f680e12c998580fb56d98a15758f53"
},
{
"type": "PACKAGE",
"url": "https://github.com/zitadel/zitadel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ZITADEL Allows Account Takeover via Malicious X-Forwarded-Proto Header Injection"
}
GHSA-93XP-QHPP-8V37
Vulnerability from github – Published: 2026-03-09 21:31 – Updated: 2026-03-11 15:31An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
{
"affected": [],
"aliases": [
"CVE-2025-70032"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T19:16:00Z",
"severity": "MODERATE"
},
"details": "An issue pertaining to CWE-601: URL Redirection to Untrusted Site was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.",
"id": "GHSA-93xp-qhpp-8v37",
"modified": "2026-03-11T15:31:37Z",
"published": "2026-03-09T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70032"
},
{
"type": "WEB",
"url": "https://gist.github.com/zcxlighthouse/8a2124f8795db2755c2b2d0f2abcd3f5"
},
{
"type": "WEB",
"url": "https://github.com/Sunbird-Ed"
},
{
"type": "WEB",
"url": "https://github.com/Sunbird-Ed/SunbirdEd-portal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9445-4CR6-336R
Vulnerability from github – Published: 2023-01-18 18:21 – Updated: 2023-06-26 22:33There is a vulnerability in Action Controller’s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.
Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.0.4.1 Impact
There is a possible open redirect when using the redirect_to helper with untrusted user input.
Vulnerable code will look like this:
redirect_to(params[:some_param])
Rails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.
All users running an affected release should either upgrade or use one of the workarounds immediately. Releases
The FIXED releases are available at the normal locations. Workarounds
There are no feasible workarounds for this issue. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
7-0-Fix-sec-issue-with-_url_host_allowed.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22797"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-18T18:21:23Z",
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "There is a vulnerability in Action Controller\u2019s redirect_to. This vulnerability has been assigned the CVE identifier CVE-2023-22797.\n\nVersions Affected: \u003e= 7.0.0 Not affected: \u003c 7.0.0 Fixed Versions: 7.0.4.1\nImpact \n\nThere is a possible open redirect when using the redirect_to helper with untrusted user input.\n\nVulnerable code will look like this:\n```\nredirect_to(params[:some_param])\n```\n\nRails 7.0 introduced protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\nReleases\n\nThe FIXED releases are available at the normal locations.\nWorkarounds\n\nThere are no feasible workarounds for this issue.\nPatches\n\nTo aid users who aren\u2019t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n 7-0-Fix-sec-issue-with-_url_host_allowed.patch - Patch for 7.0 series\n\nPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.",
"id": "GHSA-9445-4cr6-336r",
"modified": "2023-06-26T22:33:39Z",
"published": "2023-01-18T18:21:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22797"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open Redirect Vulnerability in Action Pack"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.