VDB
KO
HIGH 7.4

GHSA-wh98-p28r-vrc9

Exposure of information in Action Pack

Details

### Impact

Under certain circumstances response bodies will not be closed, for example a [bug in a webserver](https://github.com/puma/puma/pull/2812) or a bug in a Rack middleware. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`.

Upgrading to the FIXED versions of Rails will ensure mitigation of this issue even in the context of a buggy webserver or middleware implementation.

### Patches

This has been fixed in Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

### Workarounds

Upgrading is highly recommended, but to work around this problem the following middleware can be used:

```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure_completed! super end

private

def ensure_completed! @executor.new.complete! if @executor.active? end end

# Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / actionpack
Introduced in: 5.0.0.0 Fixed in: 5.2.6.2
Fix bundle update actionpack
RubyGems / actionpack
Introduced in: 6.0.0.0 Fixed in: 6.0.4.6
Fix bundle update actionpack
RubyGems / actionpack
Introduced in: 6.1.0.0 Fixed in: 6.1.4.6
Fix bundle update actionpack
RubyGems / actionpack
Introduced in: 7.0.0.0 Fixed in: 7.0.2.2
Fix bundle update actionpack

References