Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-23633 (GCVE-0-2022-23633)
Vulnerability from cvelistv5 – Published: 2022-02-11 00:00 – Updated: 2024-08-03 03:51
VLAI
EPSS
Title
Exposure of sensitive information in Action Pack
Summary
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
Severity
7.4 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:44.739Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rails",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0.0, \u003c 7.0.2.1"
},
{
"status": "affected",
"version": "\u003e= 6.1.0.0, \u003c 6.1.4.5"
},
{
"status": "affected",
"version": "\u003e= 6.0.0.0, \u003c 6.0.4.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-19T16:06:28.821Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
}
],
"source": {
"advisory": "GHSA-wh98-p28r-vrc9",
"discovery": "UNKNOWN"
},
"title": "Exposure of sensitive information in Action Pack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23633",
"datePublished": "2022-02-11T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:51:44.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-23633",
"date": "2026-05-26",
"epss": "0.00219",
"percentile": "0.44283"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndExcluding\": \"5.2.6.2\", \"matchCriteriaId\": \"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndExcluding\": \"6.0.4.6\", \"matchCriteriaId\": \"CB7B860B-0F93-4C93-8C95-29D259A38C43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.0\", \"versionEndExcluding\": \"6.1.4.6\", \"matchCriteriaId\": \"A8FC3F82-3521-470B-910E-395895BAB248\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.2.2\", \"matchCriteriaId\": \"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.\"}, {\"lang\": \"es\", \"value\": \"Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \\\"close\\\", \\\"ActionDispatch::Executor\\\" no sabr\\u00e1 restablecer el estado local del hilo para la siguiente petici\\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9\"}]",
"id": "CVE-2022-23633",
"lastModified": "2024-11-21T06:48:58.787",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2022-02-11T21:15:11.990",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/5\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240119-0013/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5372\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/11/5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240119-0013/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5372\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-212\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-23633\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-02-11T21:15:11.990\",\"lastModified\":\"2024-11-21T06:48:58.787\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.\"},{\"lang\":\"es\",\"value\":\"Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \\\"close\\\", \\\"ActionDispatch::Executor\\\" no sabr\u00e1 restablecer el estado local del hilo para la siguiente petici\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-212\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.2.6.2\",\"matchCriteriaId\":\"799C8F9A-10DD-4840-AAB5-F444DDA46FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.0.4.6\",\"matchCriteriaId\":\"CB7B860B-0F93-4C93-8C95-29D259A38C43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.0\",\"versionEndExcluding\":\"6.1.4.6\",\"matchCriteriaId\":\"A8FC3F82-3521-470B-910E-395895BAB248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.2.2\",\"matchCriteriaId\":\"AC6C96FF-285D-4378-86FF-AFB70FC339A3\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/11/5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240119-0013/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5372\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/11/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240119-0013/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5372\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
CERTFR-2022-AVI-143
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails versions 7.0.x antérieures à 7.0.2.1 | ||
| Ruby on Rails | N/A | Rails versions 5.2.x antérieures à 5.2.6.1 | ||
| Ruby on Rails | N/A | Rails versions 6.1.x antérieures à 6.1.4.5 | ||
| Ruby on Rails | N/A | Rails versions 6.0.x antérieures à 6.0.4.5 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 5.2.x ant\u00e9rieures \u00e0 5.2.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-23633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23633"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-143",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/zlI-qMMwZvQ"
}
]
}
CERTFR-2022-AVI-143
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby on Rails. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | N/A | Rails versions 7.0.x antérieures à 7.0.2.1 | ||
| Ruby on Rails | N/A | Rails versions 5.2.x antérieures à 5.2.6.1 | ||
| Ruby on Rails | N/A | Rails versions 6.1.x antérieures à 6.1.4.5 | ||
| Ruby on Rails | N/A | Rails versions 6.0.x antérieures à 6.0.4.5 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 5.2.x ant\u00e9rieures \u00e0 5.2.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.1.x ant\u00e9rieures \u00e0 6.1.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Rails versions 6.0.x ant\u00e9rieures \u00e0 6.0.4.5",
"product": {
"name": "N/A",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-23633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23633"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-143",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-02-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby on Rails. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby on Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails du 11 f\u00e9vrier 2022",
"url": "https://groups.google.com/g/rubyonrails-security/c/zlI-qMMwZvQ"
}
]
}
CNVD-2022-13387
Vulnerability from cnvd - Published: 2022-02-23
VLAI
Title
Rails Action Pack信息泄露漏洞(CNVD-2022-13387)
Description
Rails Action Pack是美国Rails社区的一个web框架。提供了路由机制(将请求URL映射到动作),定义实现动作的控制器以及通过渲染视图(各种格式的模板)生成响应的机制。
Rails Action Pack存在信息泄露漏洞,攻击者可利用该漏洞导致数据泄露给后续请求。
Severity
中
Patch Name
Rails Action Pack信息泄露漏洞(CNVD-2022-13387)的补丁
Patch Description
Rails Action Pack是美国Rails社区的一个web框架。提供了路由机制(将请求URL映射到动作),定义实现动作的控制器以及通过渲染视图(各种格式的模板)生成响应的机制。
Rails Action Pack存在信息泄露漏洞,攻击者可利用该漏洞导致数据泄露给后续请求。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
Reference
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
Impacted products
| Name | ['Rails Action Pack <7.0.2.1', 'Rails Action Pack <6.1.4.5', 'Rails Action Pack <6.0.4.5', 'Rails Action Pack <5.2.6.1'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-23633"
}
},
"description": "Rails Action Pack\u662f\u7f8e\u56fdRails\u793e\u533a\u7684\u4e00\u4e2aweb\u6846\u67b6\u3002\u63d0\u4f9b\u4e86\u8def\u7531\u673a\u5236\uff08\u5c06\u8bf7\u6c42URL\u6620\u5c04\u5230\u52a8\u4f5c\uff09\uff0c\u5b9a\u4e49\u5b9e\u73b0\u52a8\u4f5c\u7684\u63a7\u5236\u5668\u4ee5\u53ca\u901a\u8fc7\u6e32\u67d3\u89c6\u56fe\uff08\u5404\u79cd\u683c\u5f0f\u7684\u6a21\u677f\uff09\u751f\u6210\u54cd\u5e94\u7684\u673a\u5236\u3002\n\nRails Action Pack\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6570\u636e\u6cc4\u9732\u7ed9\u540e\u7eed\u8bf7\u6c42\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-13387",
"openTime": "2022-02-23",
"patchDescription": "Rails Action Pack\u662f\u7f8e\u56fdRails\u793e\u533a\u7684\u4e00\u4e2aweb\u6846\u67b6\u3002\u63d0\u4f9b\u4e86\u8def\u7531\u673a\u5236\uff08\u5c06\u8bf7\u6c42URL\u6620\u5c04\u5230\u52a8\u4f5c\uff09\uff0c\u5b9a\u4e49\u5b9e\u73b0\u52a8\u4f5c\u7684\u63a7\u5236\u5668\u4ee5\u53ca\u901a\u8fc7\u6e32\u67d3\u89c6\u56fe\uff08\u5404\u79cd\u683c\u5f0f\u7684\u6a21\u677f\uff09\u751f\u6210\u54cd\u5e94\u7684\u673a\u5236\u3002\r\n\r\nRails Action Pack\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6570\u636e\u6cc4\u9732\u7ed9\u540e\u7eed\u8bf7\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Rails Action Pack\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-13387\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Rails Action Pack \u003c7.0.2.1",
"Rails Action Pack \u003c6.1.4.5",
"Rails Action Pack \u003c6.0.4.5",
"Rails Action Pack \u003c5.2.6.1"
]
},
"referenceLink": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
"serverity": "\u4e2d",
"submitTime": "2022-02-15",
"title": "Rails Action Pack\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-13387\uff09"
}
FKIE_CVE-2022-23633
Vulnerability from fkie_nvd - Published: 2022-02-11 21:15 - Updated: 2024-11-21 06:48
Severity
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| debian | debian_linux | 10.0 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
},
{
"lang": "es",
"value": "Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \"close\", \"ActionDispatch::Executor\" no sabr\u00e1 restablecer el estado local del hilo para la siguiente petici\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9"
}
],
"id": "CVE-2022-23633",
"lastModified": "2024-11-21T06:48:58.787",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-11T21:15:11.990",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"source": "security-advisories@github.com",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-212"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-WH98-P28R-VRC9
Vulnerability from github – Published: 2022-02-11 20:49 – Updated: 2022-02-24 13:15
VLAI
Summary
Exposure of information in Action Pack
Details
Impact
Under certain circumstances response bodies will not be closed, for example a bug in a webserver or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.
Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
Workarounds
Upgrading is highly recommended, but to work around this problem the following middleware can be used:
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
Severity
7.4 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.6.1"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0.0"
},
{
"fixed": "5.2.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.4.5"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0.0"
},
{
"fixed": "6.0.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.4.5"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0.0"
},
{
"fixed": "6.1.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.2.1"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0.0"
},
{
"fixed": "7.0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23633"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-11T20:49:14Z",
"nvd_published_at": "2022-02-11T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nUnder certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.\n\n### Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n### Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following middleware can be used:\n\n```ruby\nclass GuardedExecutor \u003c ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
"id": "GHSA-wh98-p28r-vrc9",
"modified": "2022-02-24T13:15:43Z",
"published": "2022-02-11T20:49:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23633"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"type": "WEB",
"url": "https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of information in Action Pack"
}
GSD-2022-23633
Vulnerability from gsd - Updated: 2022-02-11 00:00Details
## Impact
Under certain circumstances response bodies will not be closed, for example a
bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack
middleware. In the event a response is not notified of a `close`,
`ActionDispatch::Executor` will not know to reset thread local state for the
next request. This can lead to data being leaked to subsequent requests,
especially when interacting with `ActiveSupport::CurrentAttributes`.
Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
even in the context of a buggy webserver or middleware implementation.
## Patches
This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
## Workarounds
Upgrading is highly recommended, but to work around this problem the following
middleware can be used:
```
class GuardedExecutor < ActionDispatch::Executor
def call(env)
ensure_completed!
super
end
private
def ensure_completed!
@executor.new.complete! if @executor.active?
end
end
# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end
```
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-23633",
"description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"id": "GSD-2022-23633",
"references": [
"https://www.suse.com/security/cve/CVE-2022-23633.html",
"https://access.redhat.com/errata/RHSA-2022:5498",
"https://www.debian.org/security/2023/dsa-5372"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2022-23633",
"GHSA-wh98-p28r-vrc9"
],
"details": "## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor \u003c ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
"id": "GSD-2022-23633",
"modified": "2022-02-11T00:00:00.000Z",
"published": "2022-02-11T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/10c64a472f2f19a5e485bdac7d5106a76aeb29a5"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7021-february-11-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.4,
"type": "CVSS_V3"
}
],
"summary": "Possible exposure of information vulnerability in Action Pack"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23633",
"STATE": "PUBLIC",
"TITLE": "Exposure of sensitive information in Action Pack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "rails",
"version": {
"version_data": [
{
"version_value": "\u003e= 7.0.0.0, \u003c 7.0.2.1"
},
{
"version_value": "\u003e= 6.1.0.0, \u003c 6.1.4.5"
},
{
"version_value": "\u003e= 6.0.0.0, \u003c 6.0.4.5"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.2.6.1"
}
]
}
}
]
},
"vendor_name": "rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9",
"refsource": "CONFIRM",
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"name": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
"refsource": "MISC",
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"name": "[oss-security] 20220211 [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"name": "[debian-lts-announce] 20220903 [SECURITY] [DLA 3093-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"name": "DSA-5372",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"name": "https://security.netapp.com/advisory/ntap-20240119-0013/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
}
]
},
"source": {
"advisory": "GHSA-wh98-p28r-vrc9",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2022-23633",
"cvss_v3": 7.4,
"date": "2022-02-11",
"description": "## Impact\n\nUnder certain circumstances response bodies will not be closed, for example a\nbug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack\nmiddleware. In the event a response is not notified of a `close`,\n`ActionDispatch::Executor` will not know to reset thread local state for the\nnext request. This can lead to data being leaked to subsequent requests,\nespecially when interacting with `ActiveSupport::CurrentAttributes`.\n\nUpgrading to the FIXED versions of Rails will ensure mitigation if this issue\neven in the context of a buggy webserver or middleware implementation.\n\n## Patches\n\nThis has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.\n\n## Workarounds\n\nUpgrading is highly recommended, but to work around this problem the following\nmiddleware can be used:\n\n```\nclass GuardedExecutor \u003c ActionDispatch::Executor\n def call(env)\n ensure_completed!\n super\n end\n\n private\n\n def ensure_completed!\n @executor.new.complete! if @executor.active?\n end\nend\n\n# Ensure the guard is inserted before ActionDispatch::Executor\nRails.application.configure do\n config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor\nend\n```",
"framework": "rails",
"gem": "actionpack",
"ghsa": "wh98-p28r-vrc9",
"patched_versions": [
"~\u003e 5.2.6, \u003e= 5.2.6.2",
"~\u003e 6.0.4, \u003e= 6.0.4.6",
"~\u003e 6.1.4, \u003e= 6.1.4.6",
"\u003e= 7.0.2.2"
],
"related": {
"url": [
"https://github.com/rails/rails/commit/10c64a472f2f19a5e485bdac7d5106a76aeb29a5",
"https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7021-february-11-2022"
]
},
"title": "Possible exposure of information vulnerability in Action Pack",
"unaffected_versions": [
"\u003c 5.0.0"
],
"url": "https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=5.0.0.0 \u003c=5.2.6.1||\u003e=6.0.0.0 \u003c=6.0.4.5||\u003e=6.1.0.0 \u003c=6.1.4.5||\u003e=7.0.0.0 \u003c=7.0.2.1",
"affected_versions": "All versions starting from 5.0.0.0 up to 5.2.6.1, all versions starting from 6.0.0.0 up to 6.0.4.5, all versions starting from 6.1.0.0 up to 6.1.4.5, all versions starting from 7.0.0.0 up to 7.0.2.1",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2022-02-11",
"description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"fixed_versions": [
"5.2.6.2",
"6.0.4.6",
"6.1.4.6",
"7.0.2.2"
],
"identifier": "CVE-2022-23633",
"identifiers": [
"GHSA-wh98-p28r-vrc9",
"CVE-2022-23633"
],
"not_impacted": "All versions before 5.0.0.0, all versions after 5.2.6.1 before 6.0.0.0, all versions after 6.0.4.5 before 6.1.0.0, all versions after 6.1.4.5 before 7.0.0.0, all versions after 7.0.2.1",
"package_slug": "gem/actionpack",
"pubdate": "2022-02-11",
"solution": "Upgrade to versions 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2 or above.",
"title": "Exposure of Sensitive Information to an Unauthorized Actor",
"urls": [
"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9",
"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
"https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016",
"https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released",
"https://github.com/advisories/GHSA-wh98-p28r-vrc9"
],
"uuid": "6617e5a1-928c-4c6a-9444-d0f05ea87a6b"
},
{
"affected_range": "\u003e=5.0.0 \u003c5.2.6.2||\u003e=6.0.0 \u003c6.0.4.6||\u003e=6.1.0 \u003c6.1.4.6||\u003e=7.0.0 \u003c7.0.2.2",
"affected_versions": "All versions starting from 5.0.0 before 5.2.6.2, all versions starting from 6.0.0 before 6.0.4.6, all versions starting from 6.1.0 before 6.1.4.6, all versions starting from 7.0.0 before 7.0.2.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-212",
"CWE-937"
],
"date": "2023-07-11",
"description": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"fixed_versions": [
"5.2.6.2",
"6.0.4.6",
"6.1.4.6",
"7.0.2.2"
],
"identifier": "CVE-2022-23633",
"identifiers": [
"CVE-2022-23633",
"GHSA-wh98-p28r-vrc9"
],
"not_impacted": "All versions before 5.0.0, all versions starting from 5.2.6.2 before 6.0.0, all versions starting from 6.0.4.6 before 6.1.0, all versions starting from 6.1.4.6 before 7.0.0, all versions starting from 7.0.2.2",
"package_slug": "gem/rails",
"pubdate": "2022-02-11",
"solution": "Upgrade to versions 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2 or above.",
"title": "Exposure of information in Action Pack",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-23633",
"https://github.com/advisories/GHSA-wh98-p28r-vrc9",
"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da",
"http://www.openwall.com/lists/oss-security/2022/02/11/5"
],
"uuid": "1eec09ea-1980-46f3-af3e-938ec60d200f"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "799C8F9A-10DD-4840-AAB5-F444DDA46FE2",
"versionEndExcluding": "5.2.6.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CB7B860B-0F93-4C93-8C95-29D259A38C43",
"versionEndExcluding": "6.0.4.6",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FC3F82-3521-470B-910E-395895BAB248",
"versionEndExcluding": "6.1.4.6",
"versionStartIncluding": "6.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC6C96FF-285D-4378-86FF-AFB70FC339A3",
"versionEndExcluding": "7.0.2.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used."
},
{
"lang": "es",
"value": "Action Pack es un marco de trabajo para manejar y responder a peticiones web. Bajo determinadas circunstancias los cuerpos de las respuestas no son cerradas. En el caso de que una respuesta *no* sea notificada de un \"close\", \"ActionDispatch::Executor\" no sabr\u00e1 restablecer el estado local del hilo para la siguiente petici\u00f3n. Esto puede conllevar a que sean filtrados datos a las siguientes peticiones. Esto ha sido corregido en Rails versiones 7.0.2.1, 6.1.4.5, 6.0.4.5 y 5.2.6.1. Es recomendado encarecidamente actualizar, pero para mitigar este problema puede usarse el middleware descrito en GHSA-wh98-p28r-vrc9"
}
],
"id": "CVE-2022-23633",
"lastModified": "2024-01-19T16:15:08.417",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2022-02-11T21:15:11.990",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/11/5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"
},
{
"source": "security-advisories@github.com",
"url": "https://security.netapp.com/advisory/ntap-20240119-0013/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-212"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
OPENSUSE-SU-2024:11869-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11869
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11869",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11869-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
}
],
"title": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11869-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"product_id": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"product_id": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64",
"product_id": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.6-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
}
]
}
OPENSUSE-SU-2024:11899-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-11899
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11899",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11899-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
}
],
"title": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11899-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.2.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
}
]
}
OPENSUSE-SU-2024:12878-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12878
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12878",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12878-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
}
],
"title": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12878-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
}
]
}
OPENSUSE-SU-2024:14067-1
Vulnerability from csaf_opensuse - Published: 2024-06-24 00:00 - Updated: 2024-06-24 00:00Summary
ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14067
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14067",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14067-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22792 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22792/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22795/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22797 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22797/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-26143 page",
"url": "https://www.suse.com/security/cve/CVE-2024-26143/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28103 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28103/"
}
],
"title": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-24T00:00:00Z",
"generator": {
"date": "2024-06-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14067-1",
"initial_release_date": "2024-06-24T00:00:00Z",
"revision_history": [
{
"date": "2024-06-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
},
{
"cve": "CVE-2023-22792",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22792"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.0.6.1,\u003c 6.1.7.1, and \u003c7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22792",
"url": "https://www.suse.com/security/cve/CVE-2023-22792"
},
{
"category": "external",
"summary": "SUSE Bug 1207455 for CVE-2023-22792",
"url": "https://bugzilla.suse.com/1207455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22792"
},
{
"cve": "CVE-2023-22795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22795"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22795",
"url": "https://www.suse.com/security/cve/CVE-2023-22795"
},
{
"category": "external",
"summary": "SUSE Bug 1207451 for CVE-2023-22795",
"url": "https://bugzilla.suse.com/1207451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22795"
},
{
"cve": "CVE-2023-22797",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22797"
}
],
"notes": [
{
"category": "general",
"text": "An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22797",
"url": "https://www.suse.com/security/cve/CVE-2023-22797"
},
{
"category": "external",
"summary": "SUSE Bug 1207449 for CVE-2023-22797",
"url": "https://bugzilla.suse.com/1207449"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-22797"
},
{
"cve": "CVE-2024-26143",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-26143"
}
],
"notes": [
{
"category": "general",
"text": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-26143",
"url": "https://www.suse.com/security/cve/CVE-2024-26143"
},
{
"category": "external",
"summary": "SUSE Bug 1220522 for CVE-2024-26143",
"url": "https://bugzilla.suse.com/1220522"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-26143"
},
{
"cve": "CVE-2024-28103",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28103"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28103",
"url": "https://www.suse.com/security/cve/CVE-2024-28103"
},
{
"category": "external",
"summary": "SUSE Bug 1225996 for CVE-2024-28103",
"url": "https://bugzilla.suse.com/1225996"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-28103"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…