VulnerableCode Package Details - pkg:gem/rails@6.1.4.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-63gy-6njy-kbd8 Aliases: CVE-2023-22792 GHSA-p84v-45xj-wwqj GMS-2023-58	ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.	6.1.7.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.4.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-65tq-e5eb-eucj Aliases: CVE-2024-26144 GHSA-8h22-8cf7-hq6g	Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!	6.1.7.7 Affected by 0 other vulnerabilities. 7.0.8.1 Affected by 0 other vulnerabilities.
VCID-hppf-a715-r7b2 Aliases: CVE-2023-22795 GHSA-8xww-x3g3-6jcv GMS-2023-56	ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.	6.1.7.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.0.4.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-63gy-6njy-kbd8
Aliases:
CVE-2023-22792
GHSA-p84v-45xj-wwqj
GMS-2023-58

ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

6.1.7.1
Affected by 1 other vulnerability.

7.0.4.1
Affected by 2 other vulnerabilities.

VCID-65tq-e5eb-eucj
Aliases:
CVE-2024-26144
GHSA-8h22-8cf7-hq6g

Rails has possible Sensitive Session Information Leak in Active Storage # Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

6.1.7.7
Affected by 0 other vulnerabilities.

7.0.8.1
Affected by 0 other vulnerabilities.

VCID-hppf-a715-r7b2
Aliases:
CVE-2023-22795
GHSA-8xww-x3g3-6jcv
GMS-2023-56

ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

6.1.7.1
Affected by 1 other vulnerability.

7.0.4.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jwun-grgg-2uet	Exposure of information in Action Pack Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.	CVE-2022-23633 CVE-2022-23634 GHSA-rmj8-8hhh-gv5h GHSA-wh98-p28r-vrc9

Vulnerability

Summary

Aliases

VCID-jwun-grgg-2uet

Exposure of information in Action Pack Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

CVE-2022-23633
CVE-2022-23634
GHSA-rmj8-8hhh-gv5h
GHSA-wh98-p28r-vrc9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:11:15.925748+00:00	GitLab Importer	Affected by	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.3.0
2026-04-11T23:39:31.357437+00:00	GitLab Importer	Affected by	VCID-hppf-a715-r7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22795.yml	38.3.0
2026-04-11T23:39:28.575569+00:00	GitLab Importer	Affected by	VCID-63gy-6njy-kbd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22792.yml	38.3.0
2026-04-03T00:17:16.837435+00:00	GitLab Importer	Affected by	VCID-65tq-e5eb-eucj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2024-26144.yml	38.1.0
2026-04-02T23:43:40.901960+00:00	GitLab Importer	Affected by	VCID-hppf-a715-r7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22795.yml	38.1.0
2026-04-02T23:43:38.550438+00:00	GitLab Importer	Affected by	VCID-63gy-6njy-kbd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22792.yml	38.1.0
2026-04-01T18:06:35.161397+00:00	GitLab Importer	Affected by	VCID-hppf-a715-r7b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22795.yml	38.0.0
2026-04-01T18:06:32.517796+00:00	GitLab Importer	Affected by	VCID-63gy-6njy-kbd8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2023-22792.yml	38.0.0
2026-04-01T12:49:32.951276+00:00	GitLab Importer	Fixing	VCID-jwun-grgg-2uet	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2022-23633.yml	38.0.0