CVE-2022-23634.yml

---
gem: puma
cve: 2022-23634
ghsa: rmj8-8hhh-gv5h
url: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
title: Information Exposure with Puma when used with Rails
date: 2022-02-11
description: |
  ### Impact

  Prior to `puma` version `5.6.2`, `puma` may not always call
  `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the
  response body being closed in order for its `CurrentAttributes` implementation to
  work correctly.

  From Rails:

  > Under certain circumstances response bodies will not be closed, for example
  > a bug in a webserver[1] or a bug in a Rack middleware. In the event a
  > response is not notified of a close, ActionDispatch::Executor will not know
  > to reset thread local state for the next request. This can lead to data
  > being leaked to subsequent requests, especially when interacting with
  > ActiveSupport::CurrentAttributes.

  The combination of these two behaviors (Puma not closing the body + Rails'
  Executor implementation) causes information leakage.

  ### Patches

  This problem is fixed in Puma versions 5.6.2 and 4.3.11.

  This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

  See: https://github.com/advisories/GHSA-wh98-p28r-vrc9
  for details about the rails vulnerability

  Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

  ### Workarounds

  Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.

  The [Rails CVE](https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1)
  includes a middleware that can be used instead.
cvss_v3: 8.0
patched_versions:
  - "~> 4.3.11"
  - ">= 5.6.2"
related:
  cve:
    - 2022-23633
  ghsa:
    - wh98-p28r-vrc9
  url:
    - https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb