CVE-2022-23633 — HIGH (7.4)

Q: How severe is CVE-2022-23633?

CVE-2022-23633 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-23633?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Debian Debian Linux.

Vulnerability Description

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Rubyonrails	Rails	>= 5.0.0, < 5.2.6.2
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-200 CWE-212

References

http://www.openwall.com/lists/oss-security/2022/02/11/5Mailing ListMitigationPatch
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75daPatchThird Party Advisory
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9MitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20240119-0013/
https://www.debian.org/security/2023/dsa-5372Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/02/11/5Mailing ListMitigationPatch
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75daPatchThird Party Advisory
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9MitigationThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20240119-0013/
https://www.debian.org/security/2023/dsa-5372Third Party Advisory

FAQ

What is CVE-2022-23633?

CVE-2022-23633 is a vulnerability with a CVSS score of 7.4 (HIGH). Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionD...

How severe is CVE-2022-23633?

CVE-2022-23633 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-23633?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Debian Debian Linux.