CVE-2022-23633
HIGHRails 5.0.0-5.2.6.1 - Information Disclosure via Thread Local State Leak
Title source: llmDescription
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
References (6)
Core 6
Core References
Mailing List, Mitigation, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2022/02/11/5
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2023/dsa-5372
Patch, Third Party Advisory
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
Mitigation, Third Party Advisory
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240119-0013/
Scores
CVSS v3
7.4
EPSS
0.0221
EPSS Percentile
80.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-212
CWE-200
Status
published
Products (4)
debian/debian_linux
10.0
debian/debian_linux
11.0
rubygems/actionpack
5.0.0.0 - 5.2.6.2RubyGems
rubyonrails/rails
5.0.0 - 5.2.6.2
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026