Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:ACTIONPACK-2022-23633
HistoryFeb 10, 2022 - 9:00 p.m.

Possible exposure of information vulnerability in Action Pack

2022-02-1021:00:00
RubySec
groups.google.com
13
action pack
information vulnerability
rails
upgrade
mitigation
buggy webserver
middleware
data leakage
guardedexecutor

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

65.4%

JSON

Impact

Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack
middleware. In the event a response is not notified of a close,
ActionDispatch::Executor will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with ActiveSupport::CurrentAttributes.

Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
even in the context of a buggy webserver or middleware implementation.

Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

Workarounds

Upgrading is highly recommended, but to work around this problem the following
middleware can be used:

class GuardedExecutor < ActionDispatch::Executor
  def call(env)
    ensure_completed!
    super
  end

  private

    def ensure_completed!
      @executor.new.complete! if @executor.active?
    end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
  config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end

Affected configurations

Vulners
Node
rubyactionpackRange5.2.05.2.6.2
OR
rubyactionpackRange6.0.06.0.4.6
OR
rubyactionpackRange6.1.06.1.4.6
OR
rubyactionpackRange7.0.2.2
VendorProductVersionCPE
rubyactionpack*cpe:2.3:a:ruby:actionpack:*:*:*:*:*:*:*:*

Related

cve 1
openvas 5
cvelist 1
nvd 1
redhatcve 1
veracode 1
prion 1
debiancve 1
osv 10
ubuntucve 1
cnvd 1
github 2
suse 1
nessus 5
debian 2
redhat 1
rocky 1
cve
cve
CVE-2022-23633
2022-02-11 21:15:11
openvas
openvas
Ruby on Rails Information Disclosure Vulnerability (GHSA-wh98-p28r-vrc9) - Linux
2022-02-21 00:00:00
Ruby on Rails Information Disclosure Vulnerability (GHSA-wh98-p28r-vrc9) - Windows
2022-02-21 00:00:00
openSUSE: Security Advisory for rubygem-actionpack-5_1, (SUSE-SU-2022:2108-1)
2022-06-17 00:00:00
cvelist
cvelist
CVE-2022-23633 Exposure of sensitive information in Action Pack
2022-02-11 00:00:00
nvd
nvd
CVE-2022-23633
2022-02-11 21:15:11
redhatcve
redhatcve
CVE-2022-23633
2022-03-11 11:57:11
veracode
veracode
Information Disclosure
2022-02-14 05:34:14
prion
prion
Design/Logic Flaw
2022-02-11 21:15:00
debiancve
debiancve
CVE-2022-23633
2022-02-11 21:15:11
osv
osv
ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 on GA media
2024-06-15 00:00:00
ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 on GA media
2024-06-15 00:00:00
Puma used with Rails may lead to Information Exposure
2022-02-11 21:33:23
ubuntucve
ubuntucve
CVE-2022-23633
2022-02-11 00:00:00
cnvd
cnvd
Rails Action Pack Information Disclosure Vulnerability (CNVD-2022-13387)
2022-02-15 00:00:00
github
github
Exposure of information in Action Pack
2022-02-11 20:49:14
Puma used with Rails may lead to Information Exposure
2022-02-11 21:33:23
suse
suse
Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (important)
2022-06-16 00:00:00
nessus
nessus
SUSE SLES15 Security Update : rubygem-actionpack-5_1, rubygem-activesupport-5_1 (SUSE-SU-2022:2108-1)
2022-06-17 00:00:00
Debian DLA-3093-1 : rails - LTS security update
2022-09-13 00:00:00
Debian DSA-5372-1 : rails - security update
2023-03-14 00:00:00
debian
debian
[SECURITY] [DLA 3093-1] rails security update
2022-09-03 11:34:10
[SECURITY] [DSA 5372-1] rails security update
2023-03-13 03:06:47
redhat
redhat
(RHSA-2022:5498) Moderate: Satellite 6.11 Release
2022-07-05 13:55:16
rocky
rocky
Satellite 6.11 Release
2022-07-05 13:55:16

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.003

Percentile

65.4%

JSON
Related for RUBY:ACTIONPACK-2022-23633
cve1openvas5cvelist1nvd1redhatcve1veracode1prion1debiancve1osv10ubuntucve1cnvd1github2suse1nessus5debian2redhat1rocky1