File Permission Vulnerability in ActiveSupport for Ruby on Rails
CVE-2023-38037

Currently unrated

Key Information:

Vendor: Rails
Status: Activesupport
Vendor: CVE Published:; 9 January 2025

What is CVE-2023-38037?

A vulnerability in ActiveSupport::EncryptedFile allows temporary files to inherit permissions based on the user's umask settings. This can permit unauthorized users on the same system to access the encrypted file's contents while a user is editing it. Attackers with filesystem access may exploit this flaw to read sensitive data. Users are urged to upgrade to the latest version or implement available workarounds to mitigate the risk.

Affected Version(s)

ActiveSupport >= 5.2.0 < 5.2.0

ActiveSupport 5.2.0

ActiveSupport 7.0.7.1, 6.1.7.5

References

https://discuss.rubyonrails.org/t/cve-2023-38037-possible...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Jul 12, 2023