Lucene search

RubySecRUBY:REQUEST_STORE-2024-43791

HistoryAug 22, 2024 - 9:00 p.m.

request_store has Incorrect Default Permissions

2024-08-2221:00:00

RubySec

github.com

request_store

permissions

0666

local users

arbitrary code

2017

production environments

upgraded

gem

chmod

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

JSON

Impact

The files published as part of request_store 1.3.2 have 0666
permissions, meaning that they are world-writable, which allows
local users to execute arbitrary code.

This version was published in 2017, and most production environments
do not allow access for local users, so the chances of this being
exploited are very low, given that the vast majority of users will
have upgraded, and those that have not, if any, are not likely to
be exposed.

Patches

I am not aware of any other version of the gem with incorrect
permissions, so simply upgrading should fix the issue.

Workarounds

You could chmod the files yourself, I guess.

Affected configurations

Vulners

Node

rubyrequest_storeRange≤1.4.0

VendorProductVersionCPE
rubyrequest_store*cpe:2.3:a:ruby:request_store:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	request_store	*	cpe:2.3:a:ruby:request_store::::::::

References

github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

JSON

Related for RUBY:REQUEST_STORE-2024-43791