Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close
, ActionDispatch::Executor
will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actioncable", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actionmailbox", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actionpack", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actiontext", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-actionview", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-activejob", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-activemodel", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-activerecord", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-activestorage", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-activesupport", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-rails", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" }, { "binary_name": "ruby-railties", "binary_version": "2:6.1.4.1+dfsg-8ubuntu2" } ] }
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actioncable", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actionmailbox", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actionpack", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actiontext", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-actionview", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-activejob", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-activemodel", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-activerecord", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-activestorage", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-activesupport", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-rails", "binary_version": "2:6.1.7.3+dfsg-3" }, { "binary_name": "ruby-railties", "binary_version": "2:6.1.7.3+dfsg-3" } ] }
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actioncable", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actionmailbox", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actionpack", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actiontext", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-actionview", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-activejob", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-activemodel", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-activerecord", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-activestorage", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-activesupport", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-rails", "binary_version": "2:6.1.7.3+dfsg-7" }, { "binary_name": "ruby-railties", "binary_version": "2:6.1.7.3+dfsg-7" } ] }
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-actionpack", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-actionview", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-activejob", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-activemodel", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-activerecord", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-activesupport", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-rails", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" }, { "binary_name": "ruby-railties", "binary_version": "2:4.2.6-1ubuntu0.1~esm2" } ] }
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-actionpack", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-actionview", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-activejob", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-activemodel", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-activerecord", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-activesupport", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-rails", "binary_version": "2:4.2.10-0ubuntu4+esm2" }, { "binary_name": "ruby-railties", "binary_version": "2:4.2.10-0ubuntu4+esm2" } ] }
{ "binaries": [ { "binary_name": "rails", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-actioncable", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-actionmailer", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-actionpack", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-actionview", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-activejob", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-activemodel", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-activerecord", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-activestorage", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-activesupport", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-rails", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" }, { "binary_name": "ruby-railties", "binary_version": "2:5.2.3+dfsg-3ubuntu0.1~esm1" } ] }