ActiveSupport::EncryptedFile writes contents that will be encrypted to a
temporary file.  The temporary file's permissions are defaulted to the user's
current `umask` settings, meaning that it's possible for other users on the
same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents
of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
                
            Metrics
Affected Vendors & Products
References
        History
                    Sat, 15 Feb 2025 01:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| References |  | 
Thu, 09 Jan 2025 22:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Weaknesses | CWE-732 | |
| Metrics | ssvc 
 | 
Thu, 09 Jan 2025 01:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | An insecure temporary file vulnerability was found in activesupport rubygem. Contents that will be encrypted are written to a temporary file that has the user’s current umask settings, possibly leading to information disclosure by other users on the same system. | ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately. | 
| References |  | |
| Metrics | cvssV3_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: hackerone
Published: 2025-01-09T00:33:47.704Z
Updated: 2025-02-15T00:10:27.790Z
Reserved: 2023-07-12T01:00:11.881Z
Link: CVE-2023-38037
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-02-15T00:10:27.790Z
 NVD
                        NVD
                    Status : Awaiting Analysis
Published: 2025-01-09T01:15:07.853
Modified: 2025-02-15T01:15:09.590
Link: CVE-2023-38037
 Redhat
                        Redhat