GoogleOSV:GHSA-WH98-P28R-VRC9Exposure of information in Action Pack
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.0%
Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
| CPE | Name | Operator | Version |
|---|---|---|---|
| actionpack | eq | 5.2.3.rc1 | |
| actionpack | eq | 6.1.3 | |
| actionpack | eq | 6.0.0 | |
| actionpack | eq | 5.1.0.rc2 | |
| actionpack | eq | 5.1.1 | |
| actionpack | eq | 5.2.4.2 | |
| actionpack | eq | 5.1.3.rc1 | |
| actionpack | eq | 6.0.3.4 | |
| actionpack | eq | 5.0.0.1 | |
| actionpack | eq | 5.1.6 |
References
www.openwall.com/lists/oss-security/2022/02/11/5
discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
github.com/rails/rails
github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
lists.debian.org/debian-lts-announce/2022/09/msg00002.html
nvd.nist.gov/vuln/detail/CVE-2022-23633
rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
security.netapp.com/advisory/ntap-20240119-0013
www.debian.org/security/2023/dsa-5372
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
59.0%