Lucene search

Ubuntu.comUB:CVE-2022-31072

HistoryJun 15, 2022 - 12:00 a.m.

CVE-2022-31072

2022-06-1500:00:00

ubuntu.com

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

12.6%

JSON

Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of
the octokit gem were published containing world-writeable files.
Specifically, the gem was packed with files having their permissions set to
-rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means
everyone who is not the owner (Group and Public) with access to the
instance where this release had been installed could modify the
world-writable files from this gem. This issue is patched in Octokit
4.25.0. Two workarounds are available. Users can use the previous version
of the gem, v4.22.0. Alternatively, users can modify the file permissions
manually until they are able to upgrade to the latest version.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchruby-octokit< anyUNKNOWN
ubuntu20.04noarchruby-octokit< anyUNKNOWN
ubuntu22.04noarchruby-octokit< anyUNKNOWN
ubuntu23.10noarchruby-octokit< anyUNKNOWN
ubuntu24.04noarchruby-octokit< anyUNKNOWN
ubuntu16.04noarchruby-octokit< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	ruby-octokit	< any	UNKNOWN
ubuntu	20.04	noarch	ruby-octokit	< any	UNKNOWN
ubuntu	22.04	noarch	ruby-octokit	< any	UNKNOWN
ubuntu	23.10	noarch	ruby-octokit	< any	UNKNOWN
ubuntu	24.04	noarch	ruby-octokit	< any	UNKNOWN
ubuntu	16.04	noarch	ruby-octokit	< any	UNKNOWN

References

github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55

github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6

launchpad.net/bugs/cve/CVE-2022-31072

nvd.nist.gov/vuln/detail/CVE-2022-31072

security-tracker.debian.org/tracker/CVE-2022-31072

www.cve.org/CVERecord?id=CVE-2022-31072

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

3.3 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

12.6%

JSON

Related for UB:CVE-2022-31072