Home > Vulnerability Database > CVE-2022-23633

Mend.io Vulnerability Database

CVE-2022-23633

Good to know:

Date: February 10, 2022

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Language: Ruby

Severity Score

7.4

Related Resources (29)

Url: https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html

Url: https://security.gentoo.org/glsa/202208-28

Url: https://security.netapp.com/advisory/ntap-20240119-0013/

Url: https://security.netapp.com/advisory/ntap-20240119-0013

Url: https://github.com/advisories/GHSA-wh98-p28r-vrc9

Url: https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016

Url: https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb

Url: https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

Url: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

Url: https://github.com/rails/rails

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23633

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-23634

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml

Url: https://www.debian.org/security/2023/dsa-5372

Url: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1

Url: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

Url: https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html

Url: https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

Url: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G

Url: https://www.debian.org/security/2022/dsa-5146

Url: https://github.com/puma/puma

Url: https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

Url: https://github.com/advisories/GHSA-rmj8-8hhh-gv5h

Url: http://www.openwall.com/lists/oss-security/2022/02/11/5

Url: https://www.mend.io/vulnerability-database/CVE-2022-23633

Severity Score

7.4

Weakness Type (CWE)

Improper Resource Shutdown or Release

CWE-404

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-212

Top Fix

Upgrade Version

Upgrade to version 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-23633

Good to know:

Date: February 10, 2022

Language: Ruby

Severity Score

Related Resources (29)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?