CVE-2022-23633

HIGH

Rails < 5.2.6.2 - Information Disclosure

Title source: rule

Description

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

References (6)

[Mailing List, Mitigation, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/02/11/5

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5372

[Patch, Third Party Advisory] https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

View Patch ZIP pw:eip

[Mitigation, Third Party Advisory] https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240119-0013/

Scores

CVSS v3 7.4

EPSS 0.0030

EPSS Percentile 53.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-212 CWE-200

Status published

Products (4)

debian/debian_linux 10.0

debian/debian_linux 11.0

rubygems/actionpack 5.0.0.0 - 5.2.6.2RubyGems

rubyonrails/rails 5.0.0 - 5.2.6.2

Published Feb 11, 2022

Tracked Since Feb 18, 2026