ghsa-wh98-p28r-vrc9
Vulnerability from github
Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close
, ActionDispatch::Executor
will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes
.
Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 5.2.6.1" }, "package": { "ecosystem": "RubyGems", "name": "actionpack" }, "ranges": [ { "events": [ { "introduced": "5.0.0.0" }, { "fixed": "5.2.6.2" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 6.0.4.5" }, "package": { "ecosystem": "RubyGems", "name": "actionpack" }, "ranges": [ { "events": [ { "introduced": "6.0.0.0" }, { "fixed": "6.0.4.6" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 6.1.4.5" }, "package": { "ecosystem": "RubyGems", "name": "actionpack" }, "ranges": [ { "events": [ { "introduced": "6.1.0.0" }, { "fixed": "6.1.4.6" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.2.1" }, "package": { "ecosystem": "RubyGems", "name": "actionpack" }, "ranges": [ { "events": [ { "introduced": "7.0.0.0" }, { "fixed": "7.0.2.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-23633" ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-212" ], "github_reviewed": true, "github_reviewed_at": "2022-02-11T20:49:14Z", "nvd_published_at": "2022-02-11T21:15:00Z", "severity": "HIGH" }, "details": "### Impact\n\nUnder certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.\n\n### Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n### Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following middleware can be used:\n\n```ruby\nclass GuardedExecutor \u003c ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```", "id": "GHSA-wh98-p28r-vrc9", "modified": "2022-02-24T13:15:43Z", "published": "2022-02-11T20:49:14Z", "references": [ { "type": "WEB", "url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633" }, { "type": "WEB", "url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da" }, { "type": "WEB", "url": "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016" }, { "type": "PACKAGE", "url": "https://github.com/rails/rails" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml" }, { "type": "WEB", "url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html" }, { "type": "WEB", "url": "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20240119-0013" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5372" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/02/11/5" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Exposure of information in Action Pack" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.