5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
58.9%
Action Pack is a framework for handling and responding to web requests.
Under certain circumstances response bodies will not be closed. In the
event a response is not notified of a close
, ActionDispatch::Executor
will not know to reset thread local state for the next request. This can
lead to data being leaked to subsequent requests.This has been fixed in
Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly
recommended, but to work around this problem a middleware described in
GHSA-wh98-p28r-vrc9 can be used.
Author | Note |
---|---|
seth-arnold | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward |
github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
launchpad.net/bugs/cve/CVE-2022-23633
nvd.nist.gov/vuln/detail/CVE-2022-23633
security-tracker.debian.org/tracker/CVE-2022-23633
www.cve.org/CVERecord?id=CVE-2022-23633
www.openwall.com/lists/oss-security/2022/02/11/5
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
58.9%