Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/activesupport@6.0.2.2

Type gem

Namespace

Name activesupport

Version 6.0.2.2

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 7.2.3.1

Latest_non_vulnerable_version 8.1.2.1

Affected_by_vulnerabilities

url VCID-7s2b-9sgy-4qb4

vulnerability_id VCID-7s2b-9sgy-4qb4

summary

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
### Impact
`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters.
This could produce quadratic time complexity on long digit strings.

### Releases
The fixed releases are available at the normal locations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33169.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33169

reference_id

reference_type

scores

value	0.00021
scoring_system	epss
scoring_elements	0.06143
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33169

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11

reference_url

https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974

reference_url

https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49

reference_url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_url

https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T15:45:49Z/

url

https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33169

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33169

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id	1132035
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450556
reference_id	2450556
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450556

fixed_packages

url	pkg:gem/activesupport@7.2.3.1
purl	pkg:gem/activesupport@7.2.3.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1

url	pkg:gem/activesupport@8.0.4.1
purl	pkg:gem/activesupport@8.0.4.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1

url	pkg:gem/activesupport@8.1.2.1
purl	pkg:gem/activesupport@8.1.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1

aliases CVE-2026-33169, GHSA-cg4j-q9v8-6v38

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7s2b-9sgy-4qb4

url VCID-839h-sa86-2be5

vulnerability_id VCID-839h-sa86-2be5

summary

Possible XSS Security Vulnerability in SafeBuffer#bytesplice
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

# Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport does not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

# Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28120.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-28120

reference_id

reference_type

scores

value	0.00406
scoring_system	epss
scoring_elements	0.61462
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-28120

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23913

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28120

reference_url

https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO

reference_url

https://security.netapp.com/advisory/ntap-20240202-0006

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0006

reference_url

https://www.debian.org/security/2023/dsa-5389

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://www.debian.org/security/2023/dsa-5389

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262
reference_id	1033262
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033262

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2179637
reference_id	2179637
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2179637

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-28120

reference_id

CVE-2023-28120

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-28120

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml

reference_id

CVE-2023-28120.YML

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-28120.yml

reference_url	https://github.com/advisories/GHSA-pj73-v5mw-pm9j
reference_id	GHSA-pj73-v5mw-pm9j
reference_type
scores
url	https://github.com/advisories/GHSA-pj73-v5mw-pm9j

reference_url

https://security.netapp.com/advisory/ntap-20240202-0006/

reference_id

ntap-20240202-0006

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://security.netapp.com/advisory/ntap-20240202-0006/

reference_url	https://access.redhat.com/errata/RHSA-2023:1953
reference_id	RHSA-2023:1953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1953

reference_url	https://access.redhat.com/errata/RHSA-2023:3495
reference_id	RHSA-2023:3495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3495

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/

reference_id

UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/

reference_id

ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:44:02Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/

fixed_packages

url pkg:gem/activesupport@6.1.7.3

purl pkg:gem/activesupport@6.1.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-usar-ms97-kbep

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.3

url pkg:gem/activesupport@7.0.4.3

purl pkg:gem/activesupport@7.0.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-usar-ms97-kbep

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.4.3

aliases CVE-2023-28120, GHSA-pj73-v5mw-pm9j, GMS-2023-765

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-839h-sa86-2be5

url VCID-bq89-45d8-67a3

vulnerability_id VCID-bq89-45d8-67a3

summary

Duplicate
This advisory duplicates another.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22796.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22796

reference_id

reference_type

scores

value	0.01484
scoring_system	epss
scoring_elements	0.81345
published_at	2026-06-04T12:55:00Z

value	0.01484
scoring_system	epss
scoring_elements	0.81372
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22796

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/

url

https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/2164d4f6a1bde74b911fe9ba3c8df1b5bf345bf8

reference_url

https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef

reference_url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164736
reference_id	2164736
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164736

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22796

reference_id

CVE-2023-22796

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22796

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml

reference_id

CVE-2023-22796.YML

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-22796.yml

reference_url	https://github.com/advisories/GHSA-j6gc-792m-qgm2
reference_id	GHSA-j6gc-792m-qgm2
reference_type
scores
url	https://github.com/advisories/GHSA-j6gc-792m-qgm2

reference_url

https://security.netapp.com/advisory/ntap-20240202-0009/

reference_id

ntap-20240202-0009

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-05T21:51:29Z/

url

https://security.netapp.com/advisory/ntap-20240202-0009/

reference_url	https://access.redhat.com/errata/RHSA-2023:4341
reference_id	RHSA-2023:4341
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:4341

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/activesupport@6.1.7.1

purl pkg:gem/activesupport@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-839h-sa86-2be5

vulnerability	VCID-bq89-45d8-67a3

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-usar-ms97-kbep

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.1

url pkg:gem/activesupport@7.0.4.1

purl pkg:gem/activesupport@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-839h-sa86-2be5

vulnerability	VCID-bq89-45d8-67a3

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-usar-ms97-kbep

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.4.1

aliases CVE-2023-22796, GHSA-j6gc-792m-qgm2, GMS-2023-61

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bq89-45d8-67a3

url VCID-k5ev-tcr1-3kbz

vulnerability_id VCID-k5ev-tcr1-3kbz

summary

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

```
data = cache.fetch("demo", raw: true) { untrusted_string }
```

Versions Affected:  rails < 5.2.5, rails < 6.0.4
Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1

Impact
------

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds
-----------

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the `raw` argument should be double-checked to ensure that they conform to the expected format.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8165.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8165

reference_id

reference_type

scores

value	0.90128
scoring_system	epss
scoring_elements	0.99605
published_at	2026-06-04T12:55:00Z

value	0.90128
scoring_system	epss
scoring_elements	0.99606
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15169

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8162

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8164

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8165

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8166

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8167

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

reference_url

https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c

reference_url

https://hackerone.com/reports/413388

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/413388

reference_url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html

reference_url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html

reference_url

https://security.netapp.com/advisory/ntap-20250509-0002

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250509-0002

reference_url

https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released

reference_url

https://www.debian.org/security/2020/dsa-4766

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2020/dsa-4766

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1843072
reference_id	1843072
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1843072

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8165

reference_id

CVE-2020-8165

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8165

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml

reference_id

CVE-2020-8165.YML

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml

reference_url

https://github.com/advisories/GHSA-2p68-f74v-9wc6

reference_id

GHSA-2p68-f74v-9wc6

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2p68-f74v-9wc6

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

fixed_packages

url pkg:gem/activesupport@6.0.3.1

purl pkg:gem/activesupport@6.0.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-839h-sa86-2be5

vulnerability	VCID-bq89-45d8-67a3

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-usar-ms97-kbep

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.0.3.1

aliases CVE-2020-8165, GHSA-2p68-f74v-9wc6

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k5ev-tcr1-3kbz

url VCID-upyj-312m-cyhg

vulnerability_id VCID-upyj-312m-cyhg

summary

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
### Impact
`SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer.
If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments,
the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.

### Releases
The fixed releases are available at the normal locations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33170.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33170

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01505
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33170

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33170

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7

reference_url

https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db

reference_url

https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb

reference_url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_url

https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:20:16Z/

url

https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33170

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33170

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id	1132035
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450543
reference_id	2450543
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450543

fixed_packages

url	pkg:gem/activesupport@7.2.3.1
purl	pkg:gem/activesupport@7.2.3.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1

url	pkg:gem/activesupport@8.0.4.1
purl	pkg:gem/activesupport@8.0.4.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1

url	pkg:gem/activesupport@8.1.2.1
purl	pkg:gem/activesupport@8.1.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1

aliases CVE-2026-33170, GHSA-89vf-4333-qx8v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-upyj-312m-cyhg

url VCID-usar-ms97-kbep

vulnerability_id VCID-usar-ms97-kbep

summary

Active Support Possibly Discloses Locally Encrypted Files
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json

reference_id

reference_type

scores

value	3.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-38037

reference_id

reference_type

scores

value	0.00095
scoring_system	epss
scoring_elements	0.26464
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-38037

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38037

reference_url

https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:35:42Z/

url

https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731

reference_url

https://github.com/rails/rails/releases/tag/v7.0.7.1

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3
scoring_elements

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.7.1

reference_url

https://security.netapp.com/advisory/ntap-20250214-0010

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20250214-0010

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057
reference_id	1051057
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051057

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2236261
reference_id	2236261
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2236261

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-38037

reference_id

CVE-2023-38037

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-38037

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml

reference_id

CVE-2023-38037.YML

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml

reference_url	https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
reference_id	GHSA-cr5q-6q9f-rq6q
reference_type
scores
url	https://github.com/advisories/GHSA-cr5q-6q9f-rq6q

reference_url	https://access.redhat.com/errata/RHSA-2023:7720
reference_id	RHSA-2023:7720
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7720

reference_url	https://access.redhat.com/errata/RHSA-2024:0268
reference_id	RHSA-2024:0268
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0268

fixed_packages

url pkg:gem/activesupport@6.1.7.5

purl pkg:gem/activesupport@6.1.7.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.1.7.5

url pkg:gem/activesupport@7.0.7.1

purl pkg:gem/activesupport@7.0.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-7s2b-9sgy-4qb4

vulnerability	VCID-upyj-312m-cyhg

vulnerability	VCID-y8nc-5c1w-c3ed

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.0.7.1

aliases CVE-2023-38037, GHSA-cr5q-6q9f-rq6q

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-usar-ms97-kbep

url VCID-y8nc-5c1w-c3ed

vulnerability_id VCID-y8nc-5c1w-c3ed

summary

Rails Active Support has a possible DoS vulnerability in its number helpers
### Impact
Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`),
which when converted to a string could be expanded into extremely large decimal representations.
This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,
possibly resulting in a DoS vulnerability.

### Releases
The fixed releases are available at the normal locations.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33176.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33176

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09656
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33176

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33176

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails

reference_url

https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb

reference_url

https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a

reference_url

https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856

reference_url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/releases/tag/v7.2.3.1

reference_url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/releases/tag/v8.0.4.1

reference_url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/releases/tag/v8.1.2.1

reference_url

https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:42:42Z/

url

https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33176.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33176

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33176

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035
reference_id	1132035
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132035

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2450551
reference_id	2450551
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2450551

reference_url	https://access.redhat.com/errata/RHSA-2026:14835
reference_id	RHSA-2026:14835
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14835

reference_url	https://access.redhat.com/errata/RHSA-2026:14873
reference_id	RHSA-2026:14873
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14873

reference_url	https://access.redhat.com/errata/RHSA-2026:14874
reference_id	RHSA-2026:14874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14874

fixed_packages

url	pkg:gem/activesupport@7.2.3.1
purl	pkg:gem/activesupport@7.2.3.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@7.2.3.1

url	pkg:gem/activesupport@8.0.4.1
purl	pkg:gem/activesupport@8.0.4.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.0.4.1

url	pkg:gem/activesupport@8.1.2.1
purl	pkg:gem/activesupport@8.1.2.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@8.1.2.1

aliases CVE-2026-33176, GHSA-2j26-frm8-cmj9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y8nc-5c1w-c3ed

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/activesupport@6.0.2.2

Package Instance