Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ce39-j83r-6ug9
Vulnerability ID VCID-ce39-j83r-6ug9
Aliases CVE-2022-22577
GHSA-mm33-5vfq-3mm3
GMS-2022-1137
Summary Duplicate This advisory duplicates another.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
epss 0.00287 https://api.first.org/data/v1/epss?cve=CVE-2022-22577
cvssv3.1 6.1 https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
generic_textual MODERATE https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-mm33-5vfq-3mm3
cvssv3.1 6.1 https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails
cvssv3.1 6.1 https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
generic_textual MODERATE https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
cvssv3.1 6.1 https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
generic_textual MODERATE https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
cvssv3.1 6.1 https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
generic_textual MODERATE https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
cvssv3.1 6.1 https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
generic_textual MODERATE https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
cvssv3.1 6.1 https://github.com/rails/rails/pull/44635
generic_textual MODERATE https://github.com/rails/rails/pull/44635
cvssv3.1 6.1 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
cvssv3 6.1 https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
cvssv3.1 6.1 https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
generic_textual MODERATE https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
cvssv3.1 6.1 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2022-22577
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-22577
cvssv3.1 6.1 https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
generic_textual MODERATE https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
cvssv3.1 6.1 https://security.netapp.com/advisory/ntap-20221118-0002
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20221118-0002
cvssv3.1 6.1 https://www.debian.org/security/2023/dsa-5372
generic_textual MODERATE https://www.debian.org/security/2023/dsa-5372
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
https://api.first.org/data/v1/epss?cve=CVE-2022-22577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
https://github.com/rails/rails/pull/44635
https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
https://security.netapp.com/advisory/ntap-20221118-0002
https://security.netapp.com/advisory/ntap-20221118-0002/
https://www.debian.org/security/2023/dsa-5372
1011941 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011941
2080302 https://bugzilla.redhat.com/show_bug.cgi?id=2080302
CVE-2022-22577 https://nvd.nist.gov/vuln/detail/CVE-2022-22577
CVE-2022-22577.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
GHSA-mm33-5vfq-3mm3 https://github.com/advisories/GHSA-mm33-5vfq-3mm3
RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22577.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rails/rails/pull/44635
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-22577
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20221118-0002
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.debian.org/security/2023/dsa-5372
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.52099
EPSS Score 0.00287
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:53.964294+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/GMS-2022-1137.yml 38.0.0