GHSA-wh98-p28r-vrc9

Vulnerability from github

Published

2022-02-11 20:49

Modified

2022-02-24 13:15

Severity

7.4 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Exposure of information in Action Pack

Details

Impact

Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end

private

def ensure_completed!
  @executor.new.complete! if @executor.active?
end

end

Ensure the guard is inserted before ActionDispatch::Executor

Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.6.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0.0"
            },
            {
              "fixed": "5.2.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.4.5"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0.0"
            },
            {
              "fixed": "6.0.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.1.4.5"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1.0.0"
            },
            {
              "fixed": "6.1.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.0.2.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0.0"
            },
            {
              "fixed": "7.0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23633"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-11T20:49:14Z",
    "nvd_published_at": "2022-02-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nUnder certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware.  In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request.  This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.\n\n### Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n### Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following middleware can be used:\n\n```ruby\nclass GuardedExecutor \u003c ActionDispatch::Executor\n  def call(env)\n    ensure_completed!\n    super\n  end\n\n  private\n\n    def ensure_completed!\n      @executor.new.complete! if @executor.active?\n    end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
  "id": "GHSA-wh98-p28r-vrc9",
  "modified": "2022-02-24T13:15:43Z",
  "published": "2022-02-11T20:49:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240119-0013"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5372"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of information in Action Pack"
}

cve-2022-23633

Vulnerability from cvelistv5

Published

2022-02-11 00:00

Modified

2024-08-03 03:51

Severity

7.4 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Exposure of sensitive information in Action Pack

References

URL	Tags
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
http://www.openwall.com/lists/oss-security/2022/02/11/5	mailing-list
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html	mailing-list
https://www.debian.org/security/2023/dsa-5372	vendor-advisory
https://security.netapp.com/advisory/ntap-20240119-0013/

Impacted products

Vendor	Product
rails	rails

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:51:44.739Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
          },
          {
            "name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
          },
          {
            "name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
          },
          {
            "name": "DSA-5372",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5372"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rails",
          "vendor": "rails",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.0.0, \u003c 7.0.2.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.1.0.0, \u003c 6.1.4.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0.0, \u003c 6.0.4.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.2.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-19T16:06:28.821144",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
        },
        {
          "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
        },
        {
          "name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
        },
        {
          "name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
        },
        {
          "name": "DSA-5372",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5372"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
        }
      ],
      "source": {
        "advisory": "GHSA-wh98-p28r-vrc9",
        "discovery": "UNKNOWN"
      },
      "title": "Exposure of sensitive information in Action Pack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-23633",
    "datePublished": "2022-02-11T00:00:00",
    "dateReserved": "2022-01-19T00:00:00",
    "dateUpdated": "2024-08-03T03:51:44.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

gsd-2022-23633

Vulnerability from gsd

Modified

2022-02-11 00:00

Details

## Impact Under certain circumstances response bodies will not be closed, for example a bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is not notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`. Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation. ## Patches This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. ## Workarounds Upgrading is highly recommended, but to work around this problem the following middleware can be used: ``` class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end private def ensure_completed! @executor.new.complete! if @executor.active? end end # Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```

Aliases

CVE-2022-23633

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-23633",
    "description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
    "id": "GSD-2022-23633",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-23633.html",
      "https://access.redhat.com/errata/RHSA-2022:5498",
      "https://www.debian.org/security/2023/dsa-5372"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "actionpack",
            "purl": "pkg:gem/actionpack"
          }
        }
      ],
      "aliases": [
        "CVE-2022-23633",
        "GHSA-wh98-p28r-vrc9"
      ],
      "details": "## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor \u003c ActionDispatch::Executor\n  def call(env)\n    ensure_completed!\n    super\n  end\n\n  private\n\n    def ensure_completed!\n      @executor.new.complete! if @executor.active?\n    end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
      "id": "GSD-2022-23633",
      "modified": "2022-02-11T00:00:00.000Z",
      "published": "2022-02-11T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/commit/10c64a472f2f19a5e485bdac7d5106a76aeb29a5"
        },
        {
          "type": "WEB",
          "url": "https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7021-february-11-2022"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.4,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Possible exposure of information vulnerability in Action Pack"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-23633",
        "STATE": "PUBLIC",
        "TITLE": "Exposure of sensitive information in Action Pack"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 7.0.0.0, \u003c 7.0.2.1"
                        },
                        {
                          "version_value": "\u003e= 6.1.0.0, \u003c 6.1.4.5"
                        },
                        {
                          "version_value": "\u003e= 6.0.0.0, \u003c 6.0.4.5"
                        },
                        {
                          "version_value": "\u003e= 5.0.0, \u003c 5.2.6.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "rails"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9",
            "refsource": "CONFIRM",
            "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "name": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
            "refsource": "MISC",
            "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
          },
          {
            "name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
          },
          {
            "name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
          },
          {
            "name": "DSA-5372",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5372"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240119-0013/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-wh98-p28r-vrc9",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-23633",
      "cvss_v3": 7.4,
      "date": "2022-02-11",
      "description": "## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor \u003c ActionDispatch::Executor\n  def call(env)\n    ensure_completed!\n    super\n  end\n\n  private\n\n    def ensure_completed!\n      @executor.new.complete! if @executor.active?\n    end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
      "framework": "rails",
      "gem": "actionpack",
      "ghsa": "wh98-p28r-vrc9",
      "patched_versions": [
        "~\u003e 5.2.6, \u003e= 5.2.6.2",
        "~\u003e 6.0.4, \u003e= 6.0.4.6",
        "~\u003e 6.1.4, \u003e= 6.1.4.6",
        "\u003e= 7.0.2.2"
      ],
      "related": {
        "url": [
          "https://github.com/rails/rails/commit/10c64a472f2f19a5e485bdac7d5106a76aeb29a5",
          "https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7021-february-11-2022"
        ]
      },
      "title": "Possible exposure of information vulnerability in Action Pack",
      "unaffected_versions": [
        "\u003c 5.0.0"
      ],
      "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.0.0.0 \u003c=5.2.6.1||\u003e=6.0.0.0 \u003c=6.0.4.5||\u003e=6.1.0.0 \u003c=6.1.4.5||\u003e=7.0.0.0 \u003c=7.0.2.1",
          "affected_versions": "All versions starting from 5.0.0.0 up to 5.2.6.1, all versions starting from 6.0.0.0 up to 6.0.4.5, all versions starting from 6.1.0.0 up to 6.1.4.5, all versions starting from 7.0.0.0 up to 7.0.2.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2022-02-11",
          "description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
          "fixed_versions": [
            "5.2.6.2",
            "6.0.4.6",
            "6.1.4.6",
            "7.0.2.2"
          ],
          "identifier": "CVE-2022-23633",
          "identifiers": [
            "GHSA-wh98-p28r-vrc9",
            "CVE-2022-23633"
          ],
          "not_impacted": "All versions before 5.0.0.0, all versions after 5.2.6.1 before 6.0.0.0, all versions after 6.0.4.5 before 6.1.0.0, all versions after 6.1.4.5 before 7.0.0.0, all versions after 7.0.2.1",
          "package_slug": "gem/actionpack",
          "pubdate": "2022-02-11",
          "solution": "Upgrade to versions 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2 or above.",
          "title": "Exposure of Sensitive Information to an Unauthorized Actor",
          "urls": [
            "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9",
            "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
            "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016",
            "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released",
            "https://github.com/advisories/GHSA-wh98-p28r-vrc9"
          ],
          "uuid": "6617e5a1-928c-4c6a-9444-d0f05ea87a6b"
        },
        {
          "affected_range": "\u003e=5.0.0 \u003c5.2.6.2||\u003e=6.0.0 \u003c6.0.4.6||\u003e=6.1.0 \u003c6.1.4.6||\u003e=7.0.0 \u003c7.0.2.2",
          "affected_versions": "All versions starting from 5.0.0 before 5.2.6.2, all versions starting from 6.0.0 before 6.0.4.6, all versions starting from 6.1.0 before 6.1.4.6, all versions starting from 7.0.0 before 7.0.2.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-212",
            "CWE-937"
          ],
          "date": "2023-07-11",
          "description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
          "fixed_versions": [
            "5.2.6.2",
            "6.0.4.6",
            "6.1.4.6",
            "7.0.2.2"
          ],
          "identifier": "CVE-2022-23633",
          "identifiers": [
            "CVE-2022-23633",
            "GHSA-wh98-p28r-vrc9"
          ],
          "not_impacted": "All versions before 5.0.0, all versions starting from 5.2.6.2 before 6.0.0, all versions starting from 6.0.4.6 before 6.1.0, all versions starting from 6.1.4.6 before 7.0.0, all versions starting from 7.0.2.2",
          "package_slug": "gem/rails",
          "pubdate": "2022-02-11",
          "solution": "Upgrade to versions 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2 or above.",
          "title": "Exposure of information in Action Pack",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
            "https://github.com/advisories/GHSA-wh98-p28r-vrc9",
            "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
            "http://www.openwall.com/lists/oss-security/2022/02/11/5"
          ],
          "uuid": "1eec09ea-1980-46f3-af3e-938ec60d200f"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
                    "versionEndExcluding": "5.2.6.2",
                    "versionStartIncluding": "5.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
                    "versionEndExcluding": "6.0.4.6",
                    "versionStartIncluding": "6.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
                    "versionEndExcluding": "6.1.4.6",
                    "versionStartIncluding": "6.1.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
                    "versionEndExcluding": "7.0.2.2",
                    "versionStartIncluding": "7.0.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
          },
          {
            "lang": "es",
            "value": "Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \"close\", \"ActionDispatch::Executor\" no sabr\u00e1 restablecer el estado local del hilo para la siguiente petici\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9"
          }
        ],
        "id": "CVE-2022-23633",
        "lastModified": "2024-01-19T16:15:08.417",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "NONE",
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              "exploitabilityScore": 8.6,
              "impactScore": 2.9,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 5.2,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2022-02-11T21:15:11.990",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List",
              "Mitigation",
              "Patch",
              "Third Party Advisory"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mitigation",
              "Third Party Advisory"
            ],
            "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5372"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-212"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-200"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

Action not permitted

GHSA-wh98-p28r-vrc9

Vulnerability from github

Impact

Patches

Workarounds

Ensure the guard is inserted before ActionDispatch::Executor

cve-2022-23633

Vulnerability from cvelistv5

gsd-2022-23633

Vulnerability from gsd

Tags