Ruby/activesupport/7.0.4.3

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

https://rubygems.org/gems/activesupport
MIT

5 Security Vulnerabilities

Rails Active Support has a possible DoS vulnerability in its number helpers

Published date: 2026-03-23T21:15:16Z
CVE: CVE-2026-33176
Links:

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Credit

https://hackerone.com/manun

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]
Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]
Recommendation: Update to version 8.1.3.

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Published date: 2026-03-23T20:53:28Z
CVE: CVE-2026-33170
Links:

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by @ch4n3-yoon

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]
Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]
Recommendation: Update to version 8.1.3.

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Published date: 2026-03-23T20:52:40Z
CVE: CVE-2026-33169
Links:

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

Affected versions: ["7.2.3", "7.2.2.2", "7.2.2.1", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.2.0.rc1", "7.2.0.beta3", "7.2.0.beta2", "7.2.0.beta1", "7.1.6", "7.1.5.2", "7.1.5.1", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.1.0.rc2", "7.1.0.rc1", "7.1.0.beta1", "7.0.10", "7.0.9", "7.0.8.7", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.pre", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.6.pre", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.4.4", "1.4.3", "1.4.2", "1.4.1", "1.4.0", "1.3.1", "1.3.0", "1.2.5", "1.2.4", "1.2.3", "1.2.2", "1.2.1", "1.1.1", "1.1.0", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "8.0.4", "8.0.3", "8.0.2.1", "8.0.2", "8.0.1", "8.0.0.1", "8.0.0", "8.0.0.rc2", "8.0.0.rc1", "8.0.0.beta1", "8.1.2", "8.1.1", "8.1.0", "8.1.0.rc1", "8.1.0.beta1"]
Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]
Recommendation: Update to version 8.1.3.

Active Support Possibly Discloses Locally Encrypted Files

Published date: 2023-08-23T20:36:24Z
CVE: CVE-2023-38037
Links:

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

Affected versions: ["7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0"]
Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]
Recommendation: Update to version 8.1.3.

Possible File Disclosure of Locally Encrypted Files

Published date: 2023-08-23
Framework: rails
CVE: 2023-38037
CVSS V3: 5.5
Links:

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

  • Versions Affected: >= 5.2.0
  • Not affected: < 5.2.0
  • Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

Affected versions: ["6.0.2.1", "6.0.2.rc1", "5.2.4.3", "5.2.0", "6.0.3.2", "6.0.3", "5.2.4.1", "5.2.2.rc1", "6.0.3.1", "6.0.2.2", "6.0.0", "6.0.0.rc2", "5.2.4", "5.2.2.1", "5.2.1.rc1", "6.0.3.rc1", "6.0.2", "6.0.1", "5.2.4.2", "5.2.4.rc1", "6.0.3.3", "6.0.2.rc2", "5.2.3.rc1", "6.0.0.beta2", "5.2.4.4", "5.2.1.1", "6.0.0.beta3", "5.2.2", "5.2.1", "6.1.0.rc1", "6.0.3.4", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta1", "5.2.3", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.0.3.5", "5.2.4.5", "6.1.2.1", "6.1.3", "6.1.3.1", "5.2.5", "6.0.3.6", "6.0.3.7", "6.1.3.2", "5.2.4.6", "5.2.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha1", "7.0.0.alpha2", "7.0.0.rc1", "6.1.4.3", "7.0.0.rc3", "6.0.4.2", "6.1.4.2", "6.0.4.3", "7.0.0.rc2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.5", "6.0.4.6", "5.2.6.1", "5.2.6.2", "6.1.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "6.1.4.7", "5.2.6.3", "6.1.5", "5.2.7", "5.2.7.1", "6.0.4.8", "7.0.2.4", "6.1.5.1", "7.0.3", "5.2.8", "6.0.5", "6.1.6", "6.1.6.1", "5.2.8.1", "6.0.5.1", "7.0.3.1", "6.1.7", "7.0.4", "6.0.6", "7.0.4.1", "6.0.6.1", "6.1.7.1", "6.1.7.2", "7.0.4.2", "7.0.4.3", "6.1.7.3", "7.0.5", "6.1.7.4", "7.0.5.1", "7.0.6", "7.0.7"]
Secure versions: [7.2.3.1, 8.0.4.1, 8.0.5, 8.1.2.1, 8.1.3]
Recommendation: Update to version 8.1.3.

502 Other Versions

Version License Security Released
1.0.1 UNKNOWN 16 2009-07-25 - 18:35 over 16 years
1.0.0 UNKNOWN 16 2009-07-25 - 18:35 over 16 years