high
7.4
CWE
200 212
Advisory Published
Advisory Published
Updated

CVE-2022-23633: Exposure of sensitive information in Action Pack

First published: Fri Feb 11 2022(Updated: )

### Impact Under certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`. Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation. ### Patches This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. ### Workarounds Upgrading is highly recommended, but to work around this problem the following middleware can be used: ```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end private def ensure_completed! @executor.new.complete! if @executor.active? end end # Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
debian/rails<=2:6.0.3.7+dfsg-2<=2:6.1.4.1+dfsg-8
rubygems/actionpack>=7.0.0.0<=7.0.2.1
7.0.2.2
rubygems/actionpack>=6.1.0.0<=6.1.4.5
6.1.4.6
rubygems/actionpack>=6.0.0.0<=6.0.4.5
6.0.4.6
rubygems/actionpack>=5.0.0.0<=5.2.6.1
5.2.6.2
>=5.0.0<5.2.6.2
>=6.0.0<6.0.4.6
>=6.1.0<6.1.4.6
>=7.0.0<7.0.2.2
=10.0
=11.0
Rubyonrails Rails>=5.0.0<5.2.6.2
Rubyonrails Rails>=6.0.0<6.0.4.6
Rubyonrails Rails>=6.1.0<6.1.4.6
Rubyonrails Rails>=7.0.0<7.0.2.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
redhat/rails<7.0.2.1
7.0.2.1
redhat/rails<6.1.4.5
6.1.4.5
redhat/rails<6.0.4.5
6.0.4.5
redhat/rails<5.2.6.1
5.2.6.1
debian/rails<=2:5.2.2.1+dfsg-1+deb10u3
2:5.2.2.1+dfsg-1+deb10u5
2:6.0.3.7+dfsg-2+deb11u2
2:6.1.7.3+dfsg-1
2:6.1.7.3+dfsg-2

Remedy

http://www.openwall.com/lists/oss-security/2022/02/11/5

Remedy

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-23633?

    CVE-2022-23633 is a vulnerability in the Action Pack framework which can cause response bodies to not be closed under certain circumstances.

  • How does CVE-2022-23633 impact the system?

    CVE-2022-23633 can result in response bodies not being closed, leading to potential information leakage and thread local variable pollution.

  • Which software versions are affected by CVE-2022-23633?

    CVE-2022-23633 affects Rails versions 5.2.2.1 to 2:5.2.2.1+dfsg-1+deb10u5, 6.0.3.7 to 2:6.0.3.7+dfsg-2+deb11u2, and 6.1.7.3 to 2:6.1.7.3+dfsg-2.

  • How severe is CVE-2022-23633?

    CVE-2022-23633 has a severity rating of 7.4 (high).

  • How can I fix CVE-2022-23633?

    To fix CVE-2022-23633, it is recommended to update Rails to versions not affected by the vulnerability and apply any available patches.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203