-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2022-31072.yml
40 lines (34 loc) · 1.43 KB
/
CVE-2022-31072.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
gem: octokit
cve: 2022-31072
ghsa: g28x-pgr3-qqx6
url: https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6
title: Octokit gem published with world-writable files
date: 2022-06-15
description: |
### Impact
Versions [4.23.0](https://rubygems.org/gems/octokit/versions/4.23.0)
and [4.24.0](https://rubygems.org/gems/octokit/versions/4.24.0) of the octokit gem
were published containing world-writeable files.
Specifically, the gem was packed
with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--`
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.
Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.
### Patches
* [octokit 4.25.0](https://rubygems.org/gems/octokit/versions/4.25.0)
### Workarounds
Users can use the previous version of the gem [v4.22.0](https://rubygems.org/gems/octokit/versions/4.22.0).
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.
cvss_v3: 2.5
unaffected_versions:
- "< 4.23.0"
patched_versions:
- ">= 4.25.0"
related:
url:
- https://github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55