GMS-2023-57: Open Redirect Vulnerability in Action Pack
This is a duplicate of /gem/actionpack/CVE-2023-22797.yml. There is a vulnerability in Action Controller’s redirect_to
. There is a possible open redirect when using the redirect_to helper with untrusted user input. Vulnerable code will look like this: redirect_to(params[:some_param])
. Rails 7.0 introduced protection against open redirects from calling redirect_to
with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could be bypassed by a carefully crafted URL.
References
Detect and mitigate GMS-2023-57 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →