CVE-2023-38037
file disclosure vulnerability in activesupport (RubyGems)
What is CVE-2023-38037 About?
Active Support versions >= 5.2.0 are vulnerable to a local file disclosure flaw impacting `ActiveSupport::EncryptedFile`. This vulnerability allows other local users to read the contents of temporary files created during encryption processes. Exploitation requires local file system access, making it a lower complexity local attack.
Affected Software
- activesupport
- >=7.0.0, <7.0.7.1
- >=5.2.0, <6.1.7.5
Technical Details
The vulnerability in Active Support occurs when ActiveSupport::EncryptedFile writes the content slated for encryption to a temporary file. By default, the permissions of this temporary file are set according to the user's current umask settings, which might not be sufficiently restrictive (e.g., if umask is 0002, others can read). If a user is editing an encrypted file, a temporary file containing the unencrypted contents is created. An attacker with local access to the file system can exploit this timing window to read the sensitive contents of this temporary file before it is encrypted or deleted, leading to information disclosure.
What is the Impact of CVE-2023-38037?
Successful exploitation may allow local attackers to read the sensitive contents of temporary files, leading to unauthorized information disclosure.
What is the Exploitability of CVE-2023-38037?
Exploitation of this vulnerability requires local file system access to the affected system. The attack is local, meaning the attacker must already have a presence on the machine or be able to log in. No authentication for the vulnerability itself is needed, but access to the system is a prerequisite. The complexity is low, as it primarily involves reading a file from a predictable temporary location during a specific window. The likelihood of exploitation is significantly increased in multi-user environments or systems where local users have lax default umask settings, allowing other users to read sensitive temporary files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-38037?
Available Upgrade Options
- activesupport
- >=5.2.0, <6.1.7.5 → Upgrade to 6.1.7.5
- activesupport
- >=7.0.0, <7.0.7.1 → Upgrade to 7.0.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
- https://github.com/rails/rails
- https://nvd.nist.gov/vuln/detail/CVE-2023-38037
- https://security.netapp.com/advisory/ntap-20250214-0010/
- https://security.netapp.com/advisory/ntap-20250214-0010
- https://osv.dev/vulnerability/GHSA-cr5q-6q9f-rq6q
- https://github.com/rails/rails/releases/tag/v7.0.7.1
- https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
- https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
- https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
What are Similar Vulnerabilities to CVE-2023-38037?
Similar Vulnerabilities: CVE-2021-3918 , CVE-2019-14814 , CVE-2018-1000000 , CVE-2017-1000100 , CVE-2016-10740
