CVE-2022-23633
HIGH7.4EPSS 0.19%Exposure of information in Action Pack
描述
### Impact Under certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`. Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation. ### Patches This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. ### Workarounds Upgrading is highly recommended, but to work around this problem the following middleware can be used: ```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end private def ensure_completed! @executor.new.complete! if @executor.active? end end # Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```
受影響套件(2)
- Debian/railsfrom 0, < 2:6.0.3.7+dfsg-2+deb11u1
- RubyGems/actionpack>= 5.0.0.0, < 5.2.6.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
參考連結(13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23633
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23633
- PATCHhttps://github.com/rails/rails
- WEBhttps://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
- WEBhttps://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
- WEBhttps://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
- WEBhttps://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
- WEBhttps://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- WEBhttps://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
- WEBhttps://security.netapp.com/advisory/ntap-20240119-0013
- WEBhttps://www.debian.org/security/2023/dsa-5372
- WEBhttp://www.openwall.com/lists/oss-security/2022/02/11/5