Information Disclosure in Action Pack by NetApp
CVE-2021-22885

7.5HIGH

Key Information:

Vendor

Rubyonrails

Status
Https://github.com/rails/rails
Vendor
CVE Published:
27 May 2021

What is CVE-2021-22885?

An information disclosure and unintended method execution vulnerability has been identified in Action Pack starting from version 2.0.0. This issue occurs when using the redirect_to or polymorphic_url helpers with untrusted user input, potentially leading to exposure of sensitive information or movement into unintended application contexts, posing a risk to application integrity.

Affected Version(s)

https://github.com/rails/rails 6.1.3.1, 6.0.3.7, 5.2.4.6, 5.2.6

References

https://hackerone.com/reports/1106652
x_refsource_MISC
https://www.debian.org/security/2021/dsa-4929
vendor-advisoryx_refsource_DEBIAN
https://security.netapp.com/advisory/ntap-20210805-0009/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-22885 : Information Disclosure in Action Pack by NetApp