CVE-2023-22797

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-22797

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-22797.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-22797

Aliases

GHSA-9445-4cr6-336r

Related

Published

2023-02-09T20:15:11Z

Modified

2024-09-03T08:03:13.340254Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.

References

https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127

Affected packages

Git / github.com/rails/rails

Affected ranges

Type: GIT
Repo: https://github.com/rails/rails
Events: Introduced

984c3ef2775781d47efa9f541ce570daa2434a80

Fixed

23e0345fe900dfd7edd6e8e5a7a6bd54b2a7d2ed

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.2.1

v7.0.2.2

v7.0.2.3

v7.0.2.4

v7.0.3

v7.0.3.1

v7.0.4