Login Sign Up

CVE-2022-23633

7.4 HIGH

📋 TL;DR

CVE-2022-23633 is a data leakage vulnerability in Ruby on Rails Action Pack where response bodies may not be properly closed, causing thread local state to persist between requests. This allows sensitive data from one user's request to leak to subsequent requests from other users. All Rails applications using affected versions are vulnerable.

💻 Affected Systems

Products:
  • Ruby on Rails
Versions: Rails 5.2.0 to 5.2.6.0, 6.0.0 to 6.0.4.4, 6.1.0 to 6.1.4.4, 7.0.0 to 7.0.2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Rails applications using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Rails by Rubyonrails

View all CVEs affecting Rails →

Rails by Rubyonrails

View all CVEs affecting Rails →

Rails by Rubyonrails

View all CVEs affecting Rails →

Rails by Rubyonrails

View all CVEs affecting Rails →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive user data (authentication tokens, personal information, session data) from one user is exposed to other users in subsequent requests, potentially leading to account takeover and privacy violations.

🟠

Likely Case

Intermittent data leakage between user sessions, exposing fragments of sensitive information that could be pieced together by attackers.

🟢

If Mitigated

With proper patching or workarounds, no data leakage occurs between requests.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific conditions where response bodies aren't closed, but no authentication is needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, or 5.2.6.1

Vendor Advisory: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

Restart Required: Yes

Instructions:

1. Update Gemfile to specify patched Rails version. 2. Run 'bundle update rails'. 3. Restart application server. 4. Test application functionality.

🔧 Temporary Workarounds

Middleware Workaround

all

Add middleware to ensure response bodies are properly closed between requests

Add middleware as described in GHSA-wh98-p28r-vrc9 advisory

🧯 If You Can't Patch

  • Implement the middleware workaround from the GitHub advisory
  • Isolate affected applications behind additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check Rails version with 'rails --version' or examine Gemfile.lock for rails gem version

Check Version:

rails --version

Verify Fix Applied:

Confirm Rails version is 7.0.2.1, 6.1.4.5, 6.0.4.5, or 5.2.6.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual response patterns, unexpected data in responses, thread-related errors

Network Indicators:

  • Inconsistent response data between similar requests

SIEM Query:

Search for application errors containing 'ActionDispatch::Executor' or thread state warnings

📊 Metadata

CVE ID: CVE-2022-23633
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-200
Published: February 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23633, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)