A security vulnerability, identified as CVE-2023-38037, has been found in ActiveSupport::EncryptedFile in Ruby on Rails. This vulnerability could potentially allow an attacker to read the contents of a temporary file while a user is editing it. All users running an affected release should either upgrade or apply a workaround immediately to avoid any potential threat.
Vulnerability Details
ActiveSupport::EncryptedFile is a component of Ruby on Rails that writes contents intended to be encrypted to a temporary file. Due to the vulnerability, the permissions of the temporary file are set according to the user's current umask settings. This could allow other users on the same system to read the contents of the temporary file.
Attackers with access to the file system could exploit this vulnerability and possibly read the sensitive information stored in the temporary file while it is being edited by the user.
Here is a sample code snippet that demonstrates the usage of ActiveSupport::EncryptedFile
require 'active_support/encrypted_file'
encrypted_file = ActiveSupport::EncryptedFile.new(
content_path: 'path/to/encrypted/file',
key_path: 'path/to/key/file',
env_key: 'RAILS_MASTER_KEY',
raise_if_missing_key: false
)
# Read the contents of the encrypted file
contents = encrypted_file.read
# Edit the file
encrypted_file.write(contents + "\nnew content")
For more information about the vulnerability, please refer to the following links
- CVE-2023-38037
- Ruby on Rails Security Advisory
Mitigation and Workarounds
To address the issue, users are advised to either upgrade to a non-vulnerable version or apply one of the following workarounds immediately:
Upgrade Ruby on Rails to a non-affected version (5.2.X, 6..X, or 6.1.X).
2. Modify your system's umask settings to restrict access to the temporary file created by ActiveSupport::EncryptedFile. For example, you could set the umask value to 0077, which would only allow the file owner to read and write the temporary file:
umask 0077
3. Use an alternative method for encrypting and storing sensitive data, such as Ruby's built-in OpenSSL::Cipher class.
Please ensure to apply the necessary mitigation steps to protect your Ruby on Rails application from potential exploitation of this vulnerability.
Timeline
Published on: 01/09/2025 01:15:07 UTC