NetApp Products Ruby on Rails Active Support Temporary File Permission Vulnerability

A vulnerability exists in multiple NetApp products that use Ruby on Rails. Active Support versions 5.2.0 prior to 6.1.7.5 and prior to 7.0.7.1 are affected. The vulnerability arises because ActiveSupport::EncryptedFile writes encrypted contents to a temporary file with permissions determined by the user's `umask` settings. This configuration may allow other users on the same system to read the temporary file's contents. Attackers with file system access could potentially intercept the data while the file is being edited.

Impact

Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information from temporarily encrypted files.

Remediation

Users should upgrade to a version of Ruby on Rails that is not vulnerable. NetApp products affected by this vulnerability should consult the NetApp advisory NTAP-20250214-0010 for guidance.