NVD Vulnerability Detail

CVE-2022-23633

Summary	Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
Publication Date	Feb. 12, 2022, 6:15 a.m.
Registration Date	Feb. 12, 2022, 10 a.m.
Last Update	Nov. 21, 2024, 3:48 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2022/02/11/5	Mailing List Mitigation Patch Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2022/02/11/5	Mailing List Mitigation Patch Third Party Advisory
3	https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da	Patch Third Party Advisory
4	https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da	Patch Third Party Advisory
5	https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9	Mitigation Third Party Advisory
6	https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9	Mitigation Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html	Mailing List Third Party Advisory
8	https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html	Mailing List Third Party Advisory
9	https://security.netapp.com/advisory/ntap-20240119-0013/
10	https://security.netapp.com/advisory/ntap-20240119-0013/
11	https://www.debian.org/security/2023/dsa-5372	Third Party Advisory
12	https://www.debian.org/security/2023/dsa-5372	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-212	保存または転送前の重要な情報の不適切な削除	https://cwe.mitre.org/data/definitions/212.html

JVN Vulnerability Information

Rails における脆弱性

Title	Rails における脆弱性
Summary	Rails には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 12, 2022, midnight
Registration Date	June 14, 2023, 6:07 p.m.
Last Update	June 14, 2023, 6:07 p.m.

Affected System

Debian

Debian GNU/Linux

Ruby on Rails project

Rails

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-23633	https://www.cve.org/CVERecord?id=CVE-2022-23633
National Vulnerability Database (NVD)
2	CVE-2022-23633	https://nvd.nist.gov/vuln/detail/CVE-2022-23633

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 3093-1] rails security update	https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
Debian Security Advisory
2	DSA-5372-1	https://www.debian.org/security/2023/dsa-5372
GitHub
3	Fix reloader to work with new Executor signature	https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
4	Possible exposure of information vulnerability in Action Pack	https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

Change Log

No	Changed Details	Date of change
1	[2023年06月14日] 掲載	June 14, 2023, 6:07 p.m.