oss-sec mailing list archives
[CVE-2022-23633] Possible exposure of information vulnerability in Action Pack
From: Aaron Patterson <aaron.patterson () gmail com>
Date: Fri, 11 Feb 2022 12:39:10 -0800
## Impact Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes. Upgrading to the FIXED versions of Rails will ensure mitigation if this issue even in the context of a buggy webserver or middleware implementation. ## Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5.2-information-leak.patch * 6.0-information-leak.patch * 6.1-information-leak.patch * 7.0-information-leak.patch ## Workarounds Upgrading is highly recommended, but to work around this problem the following middleware can be used: ``` class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end private def ensure_completed! @executor.new.complete! if @executor.active? end end # Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ``` ## Credits Thanks to Jean Boussier for fixing this! 1. https://github.com/puma/puma/pull/2812
Attachment:
6.1-information-leak.patch
Description:
Attachment:
6.0-information-leak.patch
Description:
Attachment:
7.0-information-leak.patch
Description:
Attachment:
5.2-information-leak.patch
Description:
Current thread:
- [CVE-2022-23633] Possible exposure of information vulnerability in Action Pack Aaron Patterson (Feb 11)