CVE-2022-23633

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

CVSS v3 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/02/11/5	Mailing List Mitigation Patch Third Party Advisory
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da	Patch Third Party Advisory
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9	Mitigation Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20240119-0013/
https://www.debian.org/security/2023/dsa-5372	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::
	cpe:2.3:a:rubyonrails:rails::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

History

19 Jan 2024, 16:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240119-0013/ -

11 Jul 2023, 20:41

Type	Values Removed	Values Added
References	~~(DEBIAN) https://www.debian.org/security/2023/dsa-5372 -~~	(DEBIAN) https://www.debian.org/security/2023/dsa-5372 - Third Party Advisory
CWE	~~CWE-200~~	CWE-212
CPE		cpe:2.3:o:debian:debian_linux:11.0:::::::*

14 Mar 2023, 08:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2023/dsa-5372 -

30 Sep 2022, 19:48

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*
First Time		Debian debian Linux Debian
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html - Mailing List, Third Party Advisory

03 Sep 2022, 14:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html -
CWE	~~NVD-CWE-noinfo~~	CWE-200

22 Feb 2022, 21:47

Type	Values Removed	Values Added
CWE	~~CWE-200~~	NVD-CWE-noinfo
First Time		Rubyonrails rails Rubyonrails
References	~~(MISC) https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da -~~	(MISC) https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da - Patch, Third Party Advisory
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 -~~	(MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 - Mailing List, Mitigation, Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 -~~	(CONFIRM) https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 - Mitigation, Third Party Advisory
CPE		cpe:2.3:a:rubyonrails:rails::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.3 v3 : 5.9

12 Feb 2022, 01:30

Type	Values Removed	Values Added
References		(MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 -

11 Feb 2022, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-02-11 21:15

Updated : 2024-01-19 16:15

NVD link : CVE-2022-23633

Mitre link : CVE-2022-23633

CVE.ORG link : CVE-2022-23633

JSON object : View

Products Affected

debian

debian_linux

rubyonrails

rails

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

5.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2022-23633

5.9^/10

4.3^/10

Attach tags to `CVE-2022-23633`