Upgrade ActiveSupport to 6.1.7.5 to fix local file disclosure vulnerability (CVE-2023-38037) #470
Description
Description
Summary
A local file disclosure vulnerability has been identified in Active Support, affecting versions 5.2.0 and later. The issue is tracked under CVE-2023-38037.
Impact
ActiveSupport::EncryptedFile writes data that is meant to be encrypted into a temporary file during the encryption process.
By default, this temporary file’s permissions are determined by the user’s current umask value.
If the umask is not restrictive (for example, 0022), other users on the same system may have read permissions to the temporary file, potentially exposing sensitive data before encryption is complete.
Attackers with local filesystem access could read these temporary files while they are being edited.
All users running affected releases should upgrade or apply the workaround immediately.
Affected Versions
Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed versions: 7.0.7.1, 6.1.7.5
Fix / Recommendation
Upgrade activesupport from 5.2.6 to 6.1.7.5 or newer.