CVE-2022-23633
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/02/2022
Last modified:
19/01/2024
Description
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* | 5.0.0 (including) | 5.2.6.2 (excluding) |
| cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.0.4.6 (excluding) |
| cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* | 6.1.0 (including) | 6.1.4.6 (excluding) |
| cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* | 7.0.0 (including) | 7.0.2.2 (excluding) |
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2022/02/11/5
- https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
- https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://security.netapp.com/advisory/ntap-20240119-0013/
- https://www.debian.org/security/2023/dsa-5372