CVE-2022-23634
Information Leakage vulnerability in puma (RubyGems)
What is CVE-2022-23634 About?
The Puma web server (prior to 5.6.2) in combination with Rails (prior to 7.0.2.2) can lead to information leakage due to the failure to close response bodies. This interaction prevents Rails from resetting thread-local state, potentially exposing data to subsequent requests. Exploitation involves a race condition or specific request patterns, making it moderately complex.
Affected Software
- puma
- >=5.0.0, <5.6.2
- <4.3.11
Technical Details
This vulnerability stems from an interaction between puma (versions prior to 5.6.2) and Rails (versions prior to 7.0.2.2). Specifically, puma may not consistently call close on the HTTP response body. Rails' ActionDispatch::Executor (which manages thread-local state, particularly for ActiveSupport::CurrentAttributes) relies on this close call to know when to reset the thread-local state for CurrentAttributes before processing the next request. If puma fails to close the body, ActionDispatch::Executor does not get the signal to reset. Consequently, thread-local data from one request (e.g., user IDs, session information) can persist and be inadvertently leaked to a subsequent, unrelated request handled by the same thread. This information leakage can grant an attacker access to sensitive data or actions intended for another legitimate user.
What is the Impact of CVE-2022-23634?
Successful exploitation may allow attackers to leak sensitive information from one user's request to another, potentially leading to unauthorized access, session hijacking, or disclosure of confidential data. This compromises the confidentiality and integrity of user sessions.
What is the Exploitability of CVE-2022-23634?
Exploitation of this information leakage vulnerability is of moderate complexity, typically involving concurrent requests within the same application process. It does not require specific authentication to trigger, as it relies on the internal handling of requests by the server and framework. The attack is remote, targeting the behavior of the web server and application framework. Special conditions involve triggering a scenario where Puma fails to close the response body and subsequent requests are processed by the same thread before the state is reset. This often involves specific timing or high request load. Risk factors include high-traffic applications that frequently use ActiveSupport::CurrentAttributes and run vulnerable versions of both Puma and Rails, increasing the chances of state leakage.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23634?
Available Upgrade Options
- puma
- <4.3.11 → Upgrade to 4.3.11
- puma
- >=5.0.0, <5.6.2 → Upgrade to 5.6.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2022/dsa-5146
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
- https://www.debian.org/security/2022/dsa-5146
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
What are Similar Vulnerabilities to CVE-2022-23634?
Similar Vulnerabilities: CVE-2023-34062 , CVE-2022-39396 , CVE-2021-4198 , CVE-2020-8165 , CVE-2019-10020
