Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-23633

Опубликовано: 11 фев. 2022
Источник: debian

Описание

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
railsfixed2:6.1.4.6+dfsg-1package

Примечания

  • https://www.openwall.com/lists/oss-security/2022/02/11/5

  • Fixed by: https://github.com/rails/rails/commit/07d9600172a18b45791c89e95a642e13fc367545 (v6.1.4.5)

  • Followup: https://github.com/rails/rails/commit/d1267768e9f57ebcf86ff7f011aca7fb08e733eb (v6.1.4.6)

  • Fixed by: https://github.com/rails/rails/commit/e9015f91dd685472f915f8aa1eb18b0e0763e013 (v6.0.4.5)

  • Followup: https://github.com/rails/rails/commit/f85b396e5a0019eb614e4ee436ea713089696833 (v6.0.4.6)

  • Fixed by: https://github.com/rails/rails/commit/ddaf5058350b3a72f59b7c3e0d713678354b9a08 (v5.2.6.1)

  • Followup: https://github.com/rails/rails/commit/676ad96fa5d9d0213babc32c9bad8190597a00d1 (v5.2.6.2)

Связанные уязвимости

ubuntu логотип

CVE-2022-23633

CVSS3: 7.4
ubuntu
почти 4 года назад

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

redhat логотип

CVE-2022-23633

CVSS3: 5.9
redhat
почти 4 года назад

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

nvd логотип

CVE-2022-23633

CVSS3: 7.4
nvd
почти 4 года назад

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

github логотип

GHSA-wh98-p28r-vrc9

CVSS3: 7.4
github
почти 4 года назад

Exposure of information in Action Pack

suse-cvrf логотип

SUSE-SU-2022:2108-1

suse-cvrf
больше 3 лет назад

Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1