CVE-2022-23633

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23633
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23633.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-23633
Aliases
Related
Published
2022-02-11T21:15:11Z
Modified
2024-10-12T09:16:51.022662Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

References

Affected packages

Debian:11 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.0.3.7+dfsg-2+deb11u1

Affected versions

2:6.*

2:6.0.3.7+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.1.4.6+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2:6.1.4.6+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

test-tag-1

v0.*

v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.13.1
v0.14.1
v0.14.3
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.4.1
v0.9.5

v1.*

v1.1.0
v1.1.0_RC1
v1.1.1

v2.*

v2.0.0
v2.0.0_PR
v2.0.0_RC1
v2.0.0_RC2
v2.0.1
v2.1.0
v2.1.0_RC1
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.2.1

v3.*

v3.0.0.beta.2
v3.0.0.beta.3
v3.0.0.beta1
v3.0.0.beta2
v3.0.0.beta3
v3.0.0.beta4
v3.0.0_RC
v3.1.0.beta1
v3.1.0.rc1
v3.2.0.rc1

v4.*

v4.0.0.beta1
v4.0.0.rc1
v4.1.0.beta1
v4.1.0.beta2
v4.2.0.beta1
v4.2.0.beta4

v5.*

v5.0.0.beta1
v5.0.0.beta1.1
v5.0.0.beta2
v5.0.0.beta3
v5.0.0.beta4
v5.0.0.rc1
v5.1.0.beta1

v6.*

v6.0.0.beta1
v6.0.0.beta2
v6.0.0.beta3
v6.1.0.rc1

v7.*

v7.0.0.alpha1
v7.0.0.alpha2