CVE-2023-28362: 
Ruby vulnerability analysis and mitigation

The redirect_to method in Rails contains a Cross-site Scripting (XSS) vulnerability (CVE-2023-28362) due to improper sanitization of user-supplied values. The vulnerability allows provided values to contain characters that are not legal in an HTTP header value, which can result in downstream services that enforce RFC compliance removing the assigned Location header. This vulnerability affects all versions of Rails, with fixes available in versions 7.0.5.1 and 6.1.7.4 (Rails Discussion, GitHub Advisory).

The vulnerability stems from the redirect_to method's handling of HTTP header values. The set of legal characters for an HTTP header value is defined in RFC 7230 section 3.2.6. When illegal characters are present in the URL, downstream services may remove the Location header due to RFC compliance requirements. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

This vulnerability introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the static redirection page. The impact requires user interaction and for a Rails application to be configured to allow redirects to external hosts (which defaults to false in Rails >= 7.0.x) (GitHub Advisory).

The primary mitigation is to upgrade to the fixed versions: Rails 7.0.5.1 or 6.1.7.4. For users unable to upgrade immediately, the recommended workaround is to avoid providing user-supplied URLs with arbitrary schemes to the redirect_to method. The fix involves adding a check to ensure the provided URL does not contain any illegal characters as defined in RFC 7230 (Rails Commit).