CVE-2022-23633

Name of the Vulnerable Software and Affected Versions Rails versions prior to 7.0.2.2 Rails versions prior to 6.1.4.6 Rails versions prior to 6.0.4.6 Rails versions prior to 5.2.6.2 Puma versions prior to 5.6.2 Puma versions prior to 4.3.11

Description Action Pack is a framework for handling and responding to web requests. Under certain circumstances, response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes. The combination of Puma not closing the body and Rails' Executor implementation causes information leakage.

Recommendations For Rails versions prior to 7.0.2.2, upgrade to version 7.0.2.2 or later. For Rails versions prior to 6.1.4.6, upgrade to version 6.1.4.6 or later. For Rails versions prior to 6.0.4.6, upgrade to version 6.0.4.6 or later. For Rails versions prior to 5.2.6.2, upgrade to version 5.2.6.2 or later. For Puma versions prior to 5.6.2, upgrade to version 5.6.2 or later. For Puma versions prior to 4.3.11, upgrade to version 4.3.11 or later. As a temporary workaround, consider using the middleware described in GHSA-wh98-p28r-vrc9 to mitigate the issue. Alternatively, you can use the following middleware:

class GuardedExecutor < ActionDispatch::Executor
 def call(env)
  ensure completed!
  super
 end

 private

 def ensure completed!
  @executor.new.complete! if @executor.active?
 end
end

# Ensure the guard is inserted before ActionDispatch::Executor
Rails.application.configure do
 config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor
end