CVE Vulnerability

CVE-2022-23633

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da Patch Third Party Advisory
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 Mitigation Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/02/11/5 Mailing List Mitigation
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Information

Published : 2022-02-11 09:15

Updated : 2022-09-30 07:48

NVD link : CVE-2022-23633

Mitre link : CVE-2022-23633

Products Affected

Rails

Rubyonrails

CWE
CWE-200