UBUNTU-CVE-2023-28362
- Source
- https://ubuntu.com/security/CVE-2023-28362
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-28362.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-28362
- Upstream
- Published
- 2025-01-09T01:15:00Z
- Modified
- 2026-05-20T16:07:36.374667415Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
- References
-
- https://ubuntu.com/security/CVE-2023-28362
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://www.cve.org/CVERecord?id=CVE-2023-28362
Affected packages
Ubuntu:24.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "rails"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actioncable"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actionmailbox"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actiontext"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-activestorage"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:6.1.7.3+dfsg-3",
"binary_name": "ruby-railties"
}
]
}Ubuntu:25.10
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "rails"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actioncable"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actionmailbox"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actiontext"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-activestorage"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:7.2.2.1+dfsg-7",
"binary_name": "ruby-railties"
}
]
}Ubuntu:26.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "rails"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actioncable"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actionmailbox"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actiontext"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-activestorage"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:7.2.3+dfsg-2",
"binary_name": "ruby-railties"
}
]
}Ubuntu:Pro:16.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=esm-apps%2Fxenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2:4.*
2:4.1.10-1
2:4.2.5-1
2:4.2.5.1-1
2:4.2.5.2-2
2:4.2.6-1
2:4.2.6-1ubuntu0.1~esm1
2:4.2.6-1ubuntu0.1~esm2
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "rails"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:4.2.6-1ubuntu0.1~esm2",
"binary_name": "ruby-railties"
}
]
}Ubuntu:Pro:18.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=esm-apps%2Fbionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2:4.*
2:4.2.9-2
2:4.2.9-4
2:4.2.10-0ubuntu4
2:4.2.10-0ubuntu4+esm1
2:4.2.10-0ubuntu4+esm2
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "rails"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:4.2.10-0ubuntu4+esm2",
"binary_name": "ruby-railties"
}
]
}Ubuntu:Pro:20.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=esm-apps%2Ffocal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "rails"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-actioncable"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-activestorage"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1",
"binary_name": "ruby-railties"
}
]
}Ubuntu:Pro:22.04:LTS
rails
Package
- Name
- rails
- Purl
- pkg:deb/ubuntu/rails?arch=source&distro=esm-apps%2Fjammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "rails"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actioncable"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actionmailbox"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actionmailer"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actionpack"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actiontext"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-actionview"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-activejob"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-activemodel"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-activerecord"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-activestorage"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-activesupport"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-rails"
},
{
"binary_version": "2:6.1.4.1+dfsg-8ubuntu2+esm1",
"binary_name": "ruby-railties"
}
]
}