Lucene search

[email protected]CVE-2022-31072

HistoryJun 15, 2022 - 11:15 p.m.

CVE-2022-31072

2022-06-1523:15:09

CWE-276

[email protected]

web.nvd.nist.gov

629

octokit

ruby

github api

vulnerability

world-writeable files

permissions

patch

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

3.8 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Affected configurations

Vulners

NVD

Node

octokitoctokitRange4.23.0–4.25.0

VendorProductVersionCPE
octokitoctokit*cpe:2.3:a:octokit:octokit:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octokit	octokit	*	cpe:2.3:a:octokit:octokit::::::::

CNA Affected

[
  {
    "product": "octokit.rb",
    "vendor": "octokit",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.23.0, < 4.25.0"
      }
    ]
  }
]