High severityNVD Advisory· Published Feb 11, 2022· Updated Aug 3, 2024

Exposure of sensitive information in Action Pack

CVE-2022-23633

Description

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
actionpackRubyGems	>= 5.0.0.0, < 5.2.6.2	5.2.6.2
actionpackRubyGems	>= 6.0.0.0, < 6.0.4.6	6.0.4.6
actionpackRubyGems	>= 6.1.0.0, < 6.1.4.6	6.1.4.6
actionpackRubyGems	>= 7.0.0.0, < 7.0.2.2	7.0.2.2

Affected products

Rails/Railsv5
Range: >= 7.0.0.0, < 7.0.2.1

Patches

f9a2ad03943d

Fix reloader to work with new Executor signature

https://github.com/rails/railsAaron PattersonFeb 11, 2022via ghsa

commit

1 file changed · +1 −1

activesupport/lib/active_support/reloader.rb+1 −1 modified

@@ -58,7 +58,7 @@ def self.reload!
       prepare!
     end
 
-    def self.run! # :nodoc:
+    def self.run!(reset: false) # :nodoc:
       if check!
         super
       else

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wh98-p28r-vrc9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23633ghsaADVISORY
www.debian.org/security/2023/dsa-5372ghsavendor-advisoryWEB
www.openwall.com/lists/oss-security/2022/02/11/5ghsamailing-listWEB
discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016ghsaWEB
github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75daghsaWEB
github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.ymlghsaWEB
groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJghsaWEB
lists.debian.org/debian-lts-announce/2022/09/msg00002.htmlghsamailing-listWEB
rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-releasedghsaWEB
security.netapp.com/advisory/ntap-20240119-0013ghsaWEB
security.netapp.com/advisory/ntap-20240119-0013/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000