VulnerableCode Package Details - pkg:gem/activesupport@5.2.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-1rxp-g9rz-4yb3 Aliases: CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765	Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.	6.1.7.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.4.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-6ku5-mtgz-zygw Aliases: CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61	Duplicate This advisory duplicates another.	6.1.7.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.4.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-6pxd-xsaw-tuer Aliases: CVE-2023-38037 GHSA-cr5q-6q9f-rq6q	Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5	6.1.7.5 Affected by 0 other vulnerabilities. 7.0.7.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1rxp-g9rz-4yb3
Aliases:
CVE-2023-28120
GHSA-pj73-v5mw-pm9j
GMS-2023-765

Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

6.1.7.3
Affected by 1 other vulnerability.

7.0.4.3
Affected by 1 other vulnerability.

VCID-6ku5-mtgz-zygw
Aliases:
CVE-2023-22796
GHSA-j6gc-792m-qgm2
GMS-2023-61

Duplicate This advisory duplicates another.

6.1.7.1
Affected by 3 other vulnerabilities.

7.0.4.1
Affected by 3 other vulnerabilities.

VCID-6pxd-xsaw-tuer
Aliases:
CVE-2023-38037
GHSA-cr5q-6q9f-rq6q

Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

6.1.7.5
Affected by 0 other vulnerabilities.

7.0.7.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6ku5-mtgz-zygw	Duplicate This advisory duplicates another.	CVE-2023-22796 GHSA-j6gc-792m-qgm2 GMS-2023-61

Vulnerability

Summary

Aliases

VCID-6ku5-mtgz-zygw

Duplicate This advisory duplicates another.

CVE-2023-22796
GHSA-j6gc-792m-qgm2
GMS-2023-61

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:36:42.078776+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.4.0
2026-04-16T22:24:09.077332+00:00	GitLab Importer	Affected by	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.4.0
2026-04-16T22:20:05.634360+00:00	GitLab Importer	Affected by	VCID-6ku5-mtgz-zygw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-22796.yml	38.4.0
2026-04-16T17:40:02.825352+00:00	Ruby Importer	Affected by	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.4.0
2026-04-16T17:40:01.622546+00:00	Ruby Importer	Fixing	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.4.0
2026-04-11T23:55:59.787534+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.3.0
2026-04-11T23:42:19.172170+00:00	GitLab Importer	Affected by	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.3.0
2026-04-11T23:38:00.896645+00:00	GitLab Importer	Affected by	VCID-6ku5-mtgz-zygw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-22796.yml	38.3.0
2026-04-11T21:37:14.050119+00:00	Ruby Importer	Affected by	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.3.0
2026-04-11T21:37:12.727157+00:00	Ruby Importer	Fixing	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.3.0
2026-04-02T23:59:04.057008+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.1.0
2026-04-02T23:46:14.486815+00:00	GitLab Importer	Affected by	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.1.0
2026-04-02T23:42:17.375658+00:00	GitLab Importer	Affected by	VCID-6ku5-mtgz-zygw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-22796.yml	38.1.0
2026-04-02T19:35:18.230270+00:00	Ruby Importer	Affected by	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.1.0
2026-04-02T19:35:17.134197+00:00	Ruby Importer	Fixing	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.1.0
2026-04-01T18:09:25.771596+00:00	GitLab Importer	Affected by	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.0.0
2026-04-01T18:05:00.472433+00:00	GitLab Importer	Affected by	VCID-6ku5-mtgz-zygw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-22796.yml	38.0.0
2026-04-01T15:52:21.479730+00:00	Ruby Importer	Affected by	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.0.0
2026-04-01T15:52:20.157439+00:00	Ruby Importer	Fixing	VCID-6ku5-mtgz-zygw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml	38.0.0