VDB

CVE-2021-22881

CVE-2021-22881 PUBLISHED

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.

EPSS 15.45% · 94.8th percentile

Risk Scores

EPSS Score
15.45%
94.8th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSrails*, 0, 2:4.1.10-1
Ubuntu:Pro:22.04:LTSrails0, 2:6.0.3.7+dfsg-2, 2:6.1.4.1+dfsg-8ubuntu2+esm1
Ubuntu:25.10rails2:6.1.7.3+dfsg-7, 0, 2:7.2.2.1+dfsg-7
Ubuntu:24.04:LTSrails2:6.1.7.3+dfsg-3, 0, 2:6.1.7.3+dfsg-2build1
Ubuntu:Pro:18.04:LTSrails0, 2:4.2.9-2, 2:4.2.9-4
Ubuntu:Pro:20.04:LTSrails2:5.2.3+dfsg-3, 0, 2:5.2.3+dfsg-3ubuntu0.1~esm1

Timeline

  • CVE Published
  • Feb 11, 2021 PoC Published
  • Feb 11, 2021 PoC Published
  • Apr 14, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • Mar 7, 2023 EPSS Score
  • Mar 17, 2025 EPSS Score
  • Mar 24, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score
  • May 1, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›