High severity7.4NVD Advisory· Published Feb 11, 2022· Updated Jun 17, 2026
CVE-2022-23633
CVE-2022-23633
Description
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 5.0.0.0, < 5.2.6.2 | 5.2.6.2 |
actionpackRubyGems | >= 6.0.0.0, < 6.0.4.6 | 6.0.4.6 |
actionpackRubyGems | >= 6.1.0.0, < 6.1.4.6 | 6.1.4.6 |
actionpackRubyGems | >= 7.0.0.0, < 7.0.2.2 | 7.0.2.2 |
Affected products
19- ghsa-coords18 versionspkg:gem/actionpackpkg:rpm/opensuse/ruby3.2-rubygem-actionpack-7.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-actionpack-6.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-actionpack-7.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-activesupport-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-activesupport-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4
>= 5.0.0.0, < 5.2.6.2+ 17 more
- (no CPE)range: >= 5.0.0.0, < 5.2.6.2
- (no CPE)range: < 7.0.4.3-1.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 6.0.4.6-1.1
- (no CPE)range: < 7.0.2.2-1.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- Range: >= 7.0.0.0, < 7.0.2.1
Patches
Vulnerability mechanics
References
13- www.openwall.com/lists/oss-security/2022/02/11/5nvdMailing ListMitigationPatchThird Party AdvisoryWEB
- github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75danvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-wh98-p28r-vrc9ghsaADVISORY
- github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9nvdMitigationThird Party AdvisoryWEB
- lists.debian.org/debian-lts-announce/2022/09/msg00002.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-23633ghsaADVISORY
- www.debian.org/security/2023/dsa-5372nvdThird Party AdvisoryWEB
- discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.ymlghsaWEB
- groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJghsaWEB
- rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-releasedghsaWEB
- security.netapp.com/advisory/ntap-20240119-0013ghsaWEB
- security.netapp.com/advisory/ntap-20240119-0013/nvd
News mentions
0No linked articles in our index yet.