Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23633

Good to know:

icon

Date: February 10, 2022

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a "close", "ActionDispatch::Executor" will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Language: Ruby

Severity Score

Related Resources (30)

https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
https://security.gentoo.org/glsa/202208-28
https://security.netapp.com/advisory/ntap-20240119-0013/
https://security.netapp.com/advisory/ntap-20240119-0013
https://github.com/advisories/GHSA-wh98-p28r-vrc9
https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
https://security-tracker.debian.org/tracker/CVE-2022-23633
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
https://github.com/rails/rails
https://nvd.nist.gov/vuln/detail/CVE-2022-23633
https://nvd.nist.gov/vuln/detail/CVE-2022-23634
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
https://www.debian.org/security/2023/dsa-5372
https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
https://www.debian.org/security/2022/dsa-5146
https://github.com/puma/puma
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
http://www.openwall.com/lists/oss-security/2022/02/11/5
https://www.mend.io/vulnerability-database/CVE-2022-23633

Severity Score

Weakness Type (CWE)

Improper Resource Shutdown or Release

CWE-404

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Insufficient Information

NVD-CWE-noinfo

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-212

Top Fix

icon

Upgrade Version

Upgrade to version actionpack - 5.2.6.2;actionpack - 6.0.4.6;actionpack - 6.1.4.6;actionpack - 7.0.2.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us