diff --git a/CVE-2023-22797.patch b/CVE-2023-22797.patch
new file mode 100644
index 0000000000000000000000000000000000000000..e5a9b98a5d8d420f0464f515e9dd773ad8615e2d
--- /dev/null
+++ b/CVE-2023-22797.patch
@@ -0,0 +1,32 @@
+From e50e26d7a9f4a1e4fb5ef2538c30b2b5cc81bd92 Mon Sep 17 00:00:00 2001
+From: wonda-tea-coffee <lagrange.resolvent@gmail.com>
+Date: Mon, 5 Dec 2022 12:27:15 +0000
+Subject: [PATCH] Fix sec issue with _url_host_allowed?
+
+Disallow certain strings from `_url_host_allowed?` to avoid a redirect
+to malicious sites.
+
+[CVE-2023-22797]
+---
+ .../action_controller/metal/redirecting.rb    |  6 ++-
+ actionpack/test/controller/redirect_test.rb   | 38 +++++++++++++++++++
+ 2 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/actionpack/lib/action_controller/metal/redirecting.rb b/actionpack/lib/action_controller/metal/redirecting.rb
+index 721d5d3279..0ae6a48748 100644
+--- a/actionpack/lib/action_controller/metal/redirecting.rb
++++ b/actionpack/lib/action_controller/metal/redirecting.rb
+@@ -196,7 +196,11 @@ def _enforce_open_redirect_protection(location, allow_other_host:)
+ 
+       def _url_host_allowed?(url)
+         host = URI(url.to_s).host
+-        host == request.host || host.nil? && url.to_s.start_with?("/")
++
++        return true if host == request.host
++        return false unless host.nil?
++        return false unless url.to_s.start_with?("/")
++        return !url.to_s.start_with?("//")
+       rescue ArgumentError, URI::Error
+         false
+       end
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 80b69dcf26efff7d3889e6b905f376a8611bed47..a461e69b8ea01af9d8e32336292b4e5673c07e7d 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -4,7 +4,7 @@
 Name:		rubygem-%{gem_name}
 Epoch:		1
 Version:	7.0.4
-Release: 	1
+Release: 	2
 Summary: 	Web-flow and rendering framework putting the VC in MVC (part of Rails)
 License: 	MIT
 URL: 		http://rubyonrails.org
@@ -22,6 +22,7 @@ Source2: 	rails-%{version}-tools.txz
 # Fixes for Minitest 5.16+
 # https://github.com/rails/rails/pull/45370
 Patch0: rubygem-actionpack-7.0.2.3-Fix-tests-for-minitest-5.16.patch
+Patch1: CVE-2023-22797.patch
 
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 BuildRequires: 	ruby(release)
@@ -62,6 +63,7 @@ Documentation for %{name}.
 
 pushd %{_builddir}
 %patch0 -p2
+%patch1 -p2
 popd
 
 %build
@@ -104,13 +106,16 @@ popd
 %doc %{gem_instdir}/README.rdoc
 
 %changelog
+* Tue Feb 14 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 1:7.0.4-2
+- Fix CVE-2023-22797
+
 * Fri Jan 20 2023 wangkai <wangkai385@h-partners.com> - 1:7.0.4-1
 - Upgrade to version 7.0.4
 
 * Thu Jun 30 2022 houyingchao <houyingchao@h-partners.com> - 1:6.1.4.1-2
 - Fix compilation failed
 
-* Thu May 03 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
+* Tue May 03 2022 wangkerong <wangkerong@h-partners.com>- 6.1.4.1-1
 - Upgrade to 6.1.4.1
 
 * Mon Jun 28 2021 wangyue<wangyue92@huawei.com> - 5.2.4.4-3