DeviceKit icon indicating copy to clipboard operation
DeviceKit copied to clipboard
verified publisher icon devicekit

Upgrade ActiveSupport to 6.1.7.5 to fix local file disclosure vulnerability (CVE-2023-38037)

Open yuzhongqi opened this issue 5 months ago • 0 comments

Description

Summary A local file disclosure vulnerability has been identified in Active Support, affecting versions 5.2.0 and later. The issue is tracked under CVE-2023-38037.

Impact ActiveSupport::EncryptedFile writes data that is meant to be encrypted into a temporary file during the encryption process. By default, this temporary file’s permissions are determined by the user’s current umask value.

If the umask is not restrictive (for example, 0022), other users on the same system may have read permissions to the temporary file, potentially exposing sensitive data before encryption is complete.

Attackers with local filesystem access could read these temporary files while they are being edited.

All users running affected releases should upgrade or apply the workaround immediately.

Affected Versions

Affected: >= 5.2.0

Not affected: < 5.2.0

Fixed versions: 7.0.7.1, 6.1.7.5

Fix / Recommendation Upgrade activesupport from 5.2.6 to 6.1.7.5 or newer.

yuzhongqi avatar Nov 10 '25 05:11 yuzhongqi