CVE-2024-26144 – Possible Sensitive Session Information Leak in Active Storage
https://notcve.org/view.php?id=CVE-2024-26144
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. • https://github.com/gmo-ierae/CVE-2024-26144-test https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945 https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433 https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3 https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml https://security.netapp.com/advisory/ntap-20240510 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-22792 – rubygem-actionpack: Denial of Service in Action Dispatch
https://notcve.org/view.php?id=CVE-2023-22792
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Action Dispatch module. • https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 https://security.netapp.com/advisory/ntap-20240202-0007 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2023-22792 https://bugzilla.redhat.com/show_bug.cgi?id=2164800 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVE-2023-22795 – rubygem-actionpack: Denial of Service in Action Dispatch
https://notcve.org/view.php?id=CVE-2023-22795
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in Action Dispatch related to the If-None-Match header. • https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 https://security.netapp.com/advisory/ntap-20240202-0010 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2023-22795 https://bugzilla.redhat.com/show_bug.cgi?id=2164799 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-23634 – Information Exposure when using Puma with Rails
https://notcve.org/view.php?id=CVE-2022-23634
Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. • https://github.com/advisories/GHSA-rmj8-8hhh-gv5h https://github.com/advisories/GHSA-wh98-p28r-vrc9 https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1 https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-404: Improper Resource Shutdown or Release •
CVE-2022-23633 – Exposure of sensitive information in Action Pack
https://notcve.org/view.php?id=CVE-2022-23633
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used. • http://www.openwall.com/lists/oss-security/2022/02/11/5 https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html https://security.netapp.com/advisory/ntap-20240119-0013 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2022-23633 https://bugzilla.redhat.com/show_bug.cgi?id=2063149 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •