CVE-2022-23633
Data Leakage vulnerability in actionpack (RubyGems)
What is CVE-2022-23633 About?
This vulnerability allows for data leakage to subsequent requests due to unclosed response bodies in certain scenarios. It specifically impacts applications using `ActionDispatch::Executor` when webservers or Rack middleware fail to close responses properly. Exploitation is relatively difficult, as it relies on a specific sequence of events and faulty component behavior.
Affected Software
- actionpack
- >=6.0.0.0, <6.0.4.6
- >=7.0.0.0, <7.0.2.2
- >=6.1.0.0, <6.1.4.6
- >=5.0.0.0, <5.2.6.2
Technical Details
The vulnerability arises because ActionDispatch::Executor fails to reset thread local state if a response body is not explicitly closed, which can happen due to bugs in webservers or Rack middleware. When a response is not notified of a close event, the executor does not clear ActiveSupport::CurrentAttributes. Consequently, data from a previous request, stored in ActiveSupport::CurrentAttributes, may persist in the thread and be exposed to a subsequent unrelated request handled by the same thread, leading to information disclosure.
What is the Impact of CVE-2022-23633?
Successful exploitation may allow attackers to access sensitive information belonging to other users or requests, leading to unauthorized data disclosure and potential privacy violations.
What is the Exploitability of CVE-2022-23633?
Exploitation requires specific conditions involving a buggy webserver or Rack middleware that prevents response bodies from being properly closed. This makes the attack's complexity moderate to high. No direct authentication or privilege is required for the attacker, but they need to send requests to the vulnerable application. The exploitation occurs remotely. The likelihood of exploitation increases if the application relies on older or misconfigured webservers/middleware, or if the application frequently utilizes ActiveSupport::CurrentAttributes for sensitive data.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23633?
Available Upgrade Options
- actionpack
- >=5.0.0.0, <5.2.6.2 → Upgrade to 5.2.6.2
- actionpack
- >=6.0.0.0, <6.0.4.6 → Upgrade to 6.0.4.6
- actionpack
- >=6.1.0.0, <6.1.4.6 → Upgrade to 6.1.4.6
- actionpack
- >=7.0.0.0, <7.0.2.2 → Upgrade to 7.0.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-23633
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://security.netapp.com/advisory/ntap-20240119-0013
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
- https://security.netapp.com/advisory/ntap-20240119-0013/
- https://www.debian.org/security/2023/dsa-5372
What are Similar Vulnerabilities to CVE-2022-23633?
Similar Vulnerabilities: CVE-2020-13768 , CVE-2019-15587 , CVE-2018-1000539 , CVE-2017-1000250 , CVE-2016-10707
