CVE-2022-23633.yml

---
gem: actionpack
framework: rails
cve: 2022-23633
ghsa: wh98-p28r-vrc9
url: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
title: Possible exposure of information vulnerability in Action Pack
date: 2022-02-11
description: |
  ## Impact

  Under certain circumstances response bodies will not be closed, for example a
  bug in a webserver (https://github.com/puma/puma/pull/2812) or a bug in a Rack
  middleware. In the event a response is not notified of a `close`,
  `ActionDispatch::Executor` will not know to reset thread local state for the
  next request. This can lead to data being leaked to subsequent requests,
  especially when interacting with `ActiveSupport::CurrentAttributes`.

  Upgrading to the FIXED versions of Rails will ensure mitigation if this issue
  even in the context of a buggy webserver or middleware implementation.

  ## Patches

  This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

  ## Workarounds

  Upgrading is highly recommended, but to work around this problem the following
  middleware can be used:

  ```
  class GuardedExecutor < ActionDispatch::Executor
    def call(env)
      ensure_completed!
      super
    end

    private

      def ensure_completed!
        @executor.new.complete! if @executor.active?
      end
  end

  # Ensure the guard is inserted before ActionDispatch::Executor
  Rails.application.configure do
    config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
  end
  ```
cvss_v3: 7.4
unaffected_versions:
  - "< 5.0.0"
patched_versions:
  - "~> 5.2.6, >= 5.2.6.2"
  - "~> 6.0.4, >= 6.0.4.6"
  - "~> 6.1.4, >= 6.1.4.6"
  - ">= 7.0.2.2"
related:
  url:
    - https://github.com/rails/rails/commit/10c64a472f2f19a5e485bdac7d5106a76aeb29a5
    - https://github.com/rails/rails/blob/7-0-stable/actionpack/CHANGELOG.md#rails-7021-february-11-2022