Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6pxd-xsaw-tuer
Vulnerability ID VCID-6pxd-xsaw-tuer
Aliases CVE-2023-38037
GHSA-cr5q-6q9f-rq6q
Summary Active Support Possibly Discloses Locally Encrypted Files There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
System Score Found at
cvssv3 3.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
epss 0.00076 https://api.first.org/data/v1/epss?cve=CVE-2023-38037
cvssv3 5.5 https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
cvssv3.1 5.5 https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
generic_textual MODERATE https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
ssvc Track https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
cvssv3.1 5.5 https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails
cvssv3.1 5.5 https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
generic_textual MODERATE https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
cvssv3 5.5 https://github.com/rails/rails/releases/tag/v7.0.7.1
cvssv3.1 5.5 https://github.com/rails/rails/releases/tag/v7.0.7.1
generic_textual MODERATE https://github.com/rails/rails/releases/tag/v7.0.7.1
cvssv3.1 5.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
cvssv3.1 5.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38037
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-38037
cvssv3.1 5.5 https://security.netapp.com/advisory/ntap-20250214-0010
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20250214-0010
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38037.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none


Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:35:42Z/ Found at https://discuss.rubyonrails.org/t/cve-2023-38037-possible-file-disclosure-of-locally-encrypted-files/83544
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/rails/rails/releases/tag/v7.0.7.1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38037
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://security.netapp.com/advisory/ntap-20250214-0010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)
Percentile 0.22911
EPSS Score 0.00076
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:43.485814+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/activesupport/CVE-2023-38037.yml 38.0.0