PT-2023-26260 · Ruby On Rails+3 · Active Support+3

Maxfell

Published

2023-08-23

Updated

2026-02-16

CVE-2023-38037

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Name of the Vulnerable Software and Affected Versions Active Support versions 5.2.0 through 7.0.7.0 Active Support versions 6.1.7.4 and earlier

Description The issue arises from ActiveSupport::EncryptedFile writing contents to a temporary file with permissions defaulted to the user's current umask settings. This allows other users on the same system to potentially read the contents of the temporary file. Attackers with access to the file system could exploit this to read the contents of the temporary file while a user is editing it.

Recommendations For Active Support versions 5.2.0 through 7.0.7.0, upgrade to version 7.0.7.1. For Active Support versions 6.1.7.4 and earlier, upgrade to version 6.1.7.5. As a temporary workaround, consider setting the umask to be more restrictive, such as umask 0077, to minimize the risk of exploitation.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-377

Related Identifiers

ALT-PU-2024-7877

CVE-2023-38037

DLA-4383-1

DSA-5881-1

GHSA-CR5Q-6Q9F-RQ6Q

OESA-2023-1627

OESA-2023-1633

OPENSUSE-SU-2023:0350-1

OPENSUSE-SU-2024:13397-1

OPENSUSE-SU-2024:13432-1

OPENSUSE-SU-2024:13433-1

OPENSUSE-SU-2024:14069-1

OPENSUSE-SU-2024:14071-1

OPENSUSE-SU-2024:14074-1

OPENSUSE-SU-2025:15112-1

OPENSUSE-SU-2025:15114-1

OPENSUSE-SU-2025:15124-1

RHSA-2024:2010

Affected Products

Alt Linux

Active Support

Debian

Red Os

PT-2023-26260 · Ruby On Rails+3 · Active Support+3

CVE-2023-38037

Weakness Enumeration

Related Identifiers

Affected Products

References · 52