CVE-2023-28362
Publication date 9 January 2025
Last updated 11 July 2025
Ubuntu priority
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rails | 25.04 plucky |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Ignored end of standard support | |
| ruby-rails-3.2 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support | |
| ruby-actionpack-3.2 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support | |
| ruby-activesupport-3.2 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support | |
| ruby-activerecord-3.2 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support | |
| ruby-activemodel-3.2 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support | |
| rails-4.0 | 25.04 plucky | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored end of standard support |
Notes
seth-arnold
In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.0 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References
Other references
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5 (main)
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441 (v6.1.7.4)
- https://www.cve.org/CVERecord?id=CVE-2023-28362