2063149 – (CVE-2022-23633) CVE-2022-23633 rubygem-actionpack: information leak between requests

Bug 2063149 (CVE-2022-23633) - CVE-2022-23633 rubygem-actionpack: information leak between requests

Summary: CVE-2022-23633 rubygem-actionpack: information leak between requests

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-23633
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2063150 2066666
Blocks:	2063151
TreeView+	depends on / blocked

Reported:	2022-03-11 11:34 UTC by Marian Rehak
Modified:	2022-09-23 20:03 UTC (History)
CC List:	20 users (show)
Fixed In Version:	rails 7.0.2.1, rails 6.1.4.5, rails 6.0.4.5, rails 5.2.6.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Rack middleware package of RubyGems, where response bodies will not close under certain circumstances. This flaw allows an attacker to iterate requests to force ActionDispatch::Executor to not close, allowing subsequent requests to leak data from ActiveSupport::CurrentAttributes.
Clone Of:
Environment:
Last Closed:	2022-07-05 22:11:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:27:45 UTC

Description Marian Rehak 2022-03-11 11:34:06 UTC

In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.

Reference:

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

Comment 1 Marian Rehak 2022-03-11 11:34:26 UTC

Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 2063150]

Comment 3 errata-xmlrpc 2022-07-05 14:27:42 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498

Comment 4 Product Security DevOps Team 2022-07-05 22:11:20 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-23633

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
btotty
ehelms
jaruga
jsherril
lzap
mhulan
mmccune
mo
myarboro
nmoumoul
orabin
pcreech
pvalena
rchan
ruby-packagers-sig
sseago
strzibny
vondruch