RubySecRUBY:KAMINARI-2024-32978Insecure File Permissions vulnerability in kaminari
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
kaminari versions prior to 0.16.2 are vulnerable to an Insecure File
Permissions vulnerability, where certain files within the kaminari gem have
insecure file permissions.
Versions Affected: < 0.16.2
Fixed Versions: >= 0.16.2
Impact
An attacker with local access could write arbitrary code to the affected files
resulting in arbitrary code execution.
Releases
The fixed releases are available at the normal locations.
Workarounds
Manually set the permissions of the affected files to 644.
All Affected Versions:
lib/kaminari/models/page_scope_methods.rb
Version 0.15.0 and 0.15.1:
spec/models/mongo_mapper/mongo_mapper_spec.rb
Version 0.16.0:
spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb
Version 0.16.1:
spec/models/active_record/scopes_spec.rb
spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb
gemfiles/data_mapper_12.gemfile
gemfiles/active_record_32.gemfile
Affected configurations
References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High