Added CVE-2024-32978 for kaminari.

postmodern · postmodern · commit 0d915671f080 · 2024-05-29T19:45:12.000-07:00
diff --git a/gems/kaminari/CVE-2024-32978.yml b/gems/kaminari/CVE-2024-32978.yml
@@ -0,0 +1,63 @@
+---
+gem: kaminari
+cve: 2024-32978
+ghsa: 7r3j-qmr4-jfpj
+url: https://nvd.nist.gov/vuln/detail/CVE-2024-32978
+title: Insecure File Permissions vulnerability in kaminari
+date: 2024-05-27
+description: |
+  kaminari versions prior to 0.16.2 are vulnerable to an Insecure File
+  Permissions vulnerability, where certain files within the kaminari gem have
+  insecure file permissions.
+
+  Versions Affected: < 0.16.2
+  Fixed Versions: >= 0.16.2
+
+  # Impact
+  
+  An attacker with local access could write arbitrary code to the affected files
+  resulting in arbitrary code execution.
+
+  # Releases
+
+  The fixed releases are available at the normal locations.
+
+  # Workarounds
+
+  Manually set the permissions of the affected files to `644`.
+
+  ## All Affected Versions:
+
+  ```
+  lib/kaminari/models/page_scope_methods.rb
+  ```
+
+  ## Version 0.15.0 and 0.15.1:
+  
+  ```
+  spec/models/mongo_mapper/mongo_mapper_spec.rb
+  ```
+
+  ## Version 0.16.0:
+
+  ```
+  spec/models/mongo_mapper/mongo_mapper_spec.rb
+  spec/models/mongoid/mongoid_spec.rb
+  ```
+
+  ## Version 0.16.1:
+
+  ```
+  spec/models/active_record/scopes_spec.rb
+  spec/models/mongo_mapper/mongo_mapper_spec.rb
+  spec/models/mongoid/mongoid_spec.rb
+  gemfiles/data_mapper_12.gemfile
+  gemfiles/active_record_32.gemfile
+  ```
+
+cvss_v3: 6.6
+patched_versions:
+  - ">= 0.16.2"
+related:
+  url:
+    - https://github.com/kaminari/kaminari/security/advisories/GHSA-7r3j-qmr4-jfpj
