PT-2023-26260 · Ruby On Rails+3 · Active Support+3

Maxfell

Publicado

2023-08-23

Atualizado

2026-02-16

CVE-2023-38037

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Active Support versions 5.2.0 through 7.0.7.0 Active Support versions 6.1.7.4 and earlier

Description The issue arises from ActiveSupport::EncryptedFile writing contents to a temporary file with permissions defaulted to the user's current umask settings. This allows other users on the same system to potentially read the contents of the temporary file. Attackers with access to the file system could exploit this to read the contents of the temporary file while a user is editing it.

Recommendations For Active Support versions 5.2.0 through 7.0.7.0, upgrade to version 7.0.7.1. For Active Support versions 6.1.7.4 and earlier, upgrade to version 6.1.7.5. As a temporary workaround, consider setting the umask to be more restrictive, such as umask 0077, to minimize the risk of exploitation.

Exploit

Correção

Incorrect Permission

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-732CWE-377

Identificadores relacionados

ALT-PU-2024-7877

CVE-2023-38037

DLA-4383-1

DSA-5881-1

GHSA-CR5Q-6Q9F-RQ6Q

OESA-2023-1627

OESA-2023-1633

OPENSUSE-SU-2023:0350-1

OPENSUSE-SU-2024:13397-1

OPENSUSE-SU-2024:13432-1

OPENSUSE-SU-2024:13433-1

OPENSUSE-SU-2024:14069-1

OPENSUSE-SU-2024:14071-1

OPENSUSE-SU-2024:14074-1

OPENSUSE-SU-2025:15112-1

OPENSUSE-SU-2025:15114-1

OPENSUSE-SU-2025:15124-1

RHSA-2024:2010

Produtos afetados

Alt Linux

Active Support

Debian

Red Os

PT-2023-26260 · Ruby On Rails+3 · Active Support+3

CVE-2023-38037

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 52