VulnerableCode Package Details - pkg:gem/activesupport@6.1.7.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-6pxd-xsaw-tuer Aliases: CVE-2023-38037 GHSA-cr5q-6q9f-rq6q	Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5	6.1.7.5 Affected by 0 other vulnerabilities. 7.0.7.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6pxd-xsaw-tuer
Aliases:
CVE-2023-38037
GHSA-cr5q-6q9f-rq6q

Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

6.1.7.5
Affected by 0 other vulnerabilities.

7.0.7.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1rxp-g9rz-4yb3	Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.	CVE-2023-28120 GHSA-pj73-v5mw-pm9j GMS-2023-765

Vulnerability

Summary

Aliases

VCID-1rxp-g9rz-4yb3

Possible XSS Security Vulnerability in SafeBuffer#bytesplice There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 # Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe. Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation. Users on older versions of Ruby are likely unaffected. All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately. # Workarounds Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

CVE-2023-28120
GHSA-pj73-v5mw-pm9j
GMS-2023-765

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:36:42.294379+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.4.0
2026-04-16T22:24:09.280352+00:00	GitLab Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.4.0
2026-04-11T23:56:00.022368+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.3.0
2026-04-11T23:42:19.396405+00:00	GitLab Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.3.0
2026-04-02T23:59:04.285929+00:00	GitLab Importer	Affected by	VCID-6pxd-xsaw-tuer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml	38.1.0
2026-04-02T23:46:14.682203+00:00	GitLab Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.1.0
2026-04-02T16:59:08.000648+00:00	GHSA Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://github.com/advisories/GHSA-pj73-v5mw-pm9j	38.1.0
2026-04-01T12:58:34.544758+00:00	GithubOSV Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-pj73-v5mw-pm9j/GHSA-pj73-v5mw-pm9j.json	38.0.0
2026-04-01T12:51:00.809692+00:00	GitLab Importer	Fixing	VCID-1rxp-g9rz-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/GMS-2023-765.yml	38.0.0