Bug 2236261 (CVE-2023-38037) - CVE-2023-38037 rubygem-activesupport: File Disclosure of Locally Encrypted Files
Summary: CVE-2023-38037 rubygem-activesupport: File Disclosure of Locally Encrypted Files
Keywords:
Status: NEW
Alias: CVE-2023-38037
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2236263 2236262 2236264
Blocks: 2236258
TreeView+ depends on / blocked
 
Reported: 2023-08-30 20:16 UTC by Chess Hazlett
Modified: 2024-01-17 10:30 UTC (History)
16 users (show)

Fixed In Version: activesupport 7.0.7.1, activesupport 6.1.7.5
Doc Type: If docs needed, set a value
Doc Text:
An insecure temporary file vulnerability was found in activesupport rubygem. Contents that will be encrypted are written to a temporary file that has the user’s current umask settings, possibly leading to information disclosure by other users on the same system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7720 0 None None None 2023-12-13 18:42:45 UTC
Red Hat Product Errata RHSA-2024:0268 0 None None None 2024-01-17 10:30:08 UTC

Description Chess Hazlett 2023-08-30 20:16:23 UTC
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
http://localhost:5600/static/#/asm_ticket/98986

CVE(s): CVE-2023-38037   There is a possible file disclosure of locally encrypted files in Active Support.

Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.7.1, 6.1.7.5

# Impact
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Releases
The fixed releases are available at the normal locations.

# Workarounds
To work around this issue, you can set your umask to be more restrictive like this:

```ruby
$ umask 0077
```

Comment 3 errata-xmlrpc 2023-12-13 18:42:43 UTC
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2023:7720 https://access.redhat.com/errata/RHSA-2023:7720

Comment 4 errata-xmlrpc 2024-01-17 10:30:06 UTC
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:0268 https://access.redhat.com/errata/RHSA-2024:0268


Note You need to log in before you can comment on or make changes to this bug.