CVE-2022-23633

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

30 Sep 2022, 19:48

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
First Time Debian debian Linux
Debian
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html - Mailing List, Third Party Advisory

03 Sep 2022, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html -
CWE NVD-CWE-noinfo CWE-200

22 Feb 2022, 21:47

Type Values Removed Values Added
First Time Rubyonrails rails
Rubyonrails
CPE cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 5.9
CWE CWE-200 NVD-CWE-noinfo
References (MISC) https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da - (MISC) https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da - Patch, Third Party Advisory
References (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 - (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 - Mailing List, Mitigation, Patch, Third Party Advisory
References (CONFIRM) https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 - (CONFIRM) https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 - Mitigation, Third Party Advisory

12 Feb 2022, 01:30

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2022/02/11/5 -

11 Feb 2022, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-02-11 21:15

Updated : 2022-09-30 19:48


NVD link : CVE-2022-23633

Mitre link : CVE-2022-23633


JSON object : View

Products Affected

debian

  • debian_linux

rubyonrails

  • rails
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor