Published: 27/05/2021 Updated: 06/04/2022

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

There is a possible information disclosure/unintended method execution vulnerability in Action Pack prior to 6.1.3.2, 6.0.3.7, 5.2.4.6 and 5.2.6 when using the "redirect_to" or "polymorphic_url" helper with untrusted user input.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails
rubyonrails actionpack page-caching -
debian debian linux 10.0

Debian Bug report logs - #988214 CVE-2021-22885 CVE-2021-22902 CVE-2021-22904 Package: rails; Maintainer for rails is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 7 May 2021 19:3 ...

Multiple security issues were discovered in the Rails web framework which could result in denial of service For the stable distribution (buster), these problems have been fixed in version 2:5221+dfsg-1+deb10u3 We recommend that you upgrade your rails packages For the detailed security status of rails please refer to its security tracker page ...

No description is available for this CVE ...

There is a possible information disclosure/unintended method execution vulnerability in Action Pack before versions 6132, 6037, 5246 and 526 when using the "redirect_to" or "polymorphic_url" helper with untrusted user input ...

CWE-209 https://hackerone.com/reports/1106652 https://www.debian.org/security/2021/dsa-4929 https://security.netapp.com/advisory/ntap-20210805-0009/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214 https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4929 https://security.archlinux.org/CVE-2021-22885

CVE-2021-22885

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect