1. Home
  2. CVE Database
  3. CVE-2023-22797
MEDIUM · 6.1

CVE-2023-22797

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully re...

Vulnerability Description

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE

Affected Products

VendorProductVersions
Actionpack ProjectActionpack>= 7.0.0, < 7.0.4.1
RubyonrailsRails>= 7.0.0, < 7.0.4.1

Related Weaknesses (CWE)

CWE-601

References

FAQ

What is CVE-2023-22797?

CVE-2023-22797 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully re...

How severe is CVE-2023-22797?

CVE-2023-22797 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-22797?

Check the references section above for vendor advisories and patch information. Affected products include: Actionpack Project Actionpack, Rubyonrails Rails.