CVE-2024-32978

2024-05-2716:15:08

CWE-276

[email protected]

web.nvd.nist.gov

kaminari

pagination

library

vulnerability

ruby on rails

file permissions

update

security

unauthorized access

data integrity

6.6 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Kaminari is a paginator for web app frameworks and object relational mappings. A security vulnerability involving insecure file permissions has been identified in the Kaminari pagination library for Ruby on Rails, concerning insecure file permissions. This vulnerability is of moderate severity due to the potential for unauthorized write access to particular Ruby files managed by the library. Such access could lead to the alteration of application behavior or data integrity issues. Users of affected versions are advised to update to Kaminari version 0.16.2 or later, where file permissions have been adjusted to enhance security. If upgrading is not feasible immediately, review and adjust the file permissions for particular Ruby files in Kaminari to ensure they are only accessible by authorized user.

Affected configurations

Vulners

Node

kaminarikaminariRange0.15.0–0.16.1

CNA Affected

[
  {
    "vendor": "kaminari",
    "product": "kaminari",
    "versions": [
      {
        "version": ">= 0.15.0, <= 0.16.1",
        "status": "affected"
      }
    ]
  }
]