Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-be5x-uyc6-sudm
Vulnerability ID VCID-be5x-uyc6-sudm
Aliases CVE-2022-23633
GHSA-wh98-p28r-vrc9
Summary rubygem-actionpack: information leak between requests
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
epss 0.00187 https://api.first.org/data/v1/epss?cve=CVE-2022-23633
cvssv3.1 7.4 https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
generic_textual HIGH https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wh98-p28r-vrc9
cvssv3.1 7.4 https://github.com/rails/rails
generic_textual HIGH https://github.com/rails/rails
cvssv3.1 7.4 https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
generic_textual HIGH https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
cvssv3.1 7.4 https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
cvssv3.1_qr HIGH https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
generic_textual HIGH https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
cvssv3.1 7.4 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
generic_textual HIGH https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
cvssv3 7.4 https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
cvssv3.1 7.4 https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
generic_textual HIGH https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
cvssv3.1 7.4 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
generic_textual HIGH https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
cvssv3.1 7.4 https://nvd.nist.gov/vuln/detail/CVE-2022-23633
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-23633
cvssv3.1 7.4 https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
generic_textual HIGH https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
cvssv3.1 7.4 https://security.netapp.com/advisory/ntap-20240119-0013
generic_textual HIGH https://security.netapp.com/advisory/ntap-20240119-0013
cvssv3.1 7.4 https://www.debian.org/security/2023/dsa-5372
generic_textual HIGH https://www.debian.org/security/2023/dsa-5372
cvssv3.1 7.4 http://www.openwall.com/lists/oss-security/2022/02/11/5
generic_textual HIGH http://www.openwall.com/lists/oss-security/2022/02/11/5
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
https://api.first.org/data/v1/epss?cve=CVE-2022-23633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://nvd.nist.gov/vuln/detail/CVE-2022-23633
https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
https://security.netapp.com/advisory/ntap-20240119-0013
https://security.netapp.com/advisory/ntap-20240119-0013/
https://www.debian.org/security/2023/dsa-5372
http://www.openwall.com/lists/oss-security/2022/02/11/5
1005389 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
2063149 https://bugzilla.redhat.com/show_bug.cgi?id=2063149
RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-23633
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20240119-0013
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.debian.org/security/2023/dsa-5372
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at http://www.openwall.com/lists/oss-security/2022/02/11/5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.40348
EPSS Score 0.00187
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T09:14:10.578590+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json 38.6.0