Skip to content

Commit 0d91567

Browse files
committed
Added CVE-2024-32978 for kaminari.
1 parent a15b67c commit 0d91567

File tree

1 file changed

+63
-0
lines changed

1 file changed

+63
-0
lines changed

gems/kaminari/CVE-2024-32978.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
---
2+
gem: kaminari
3+
cve: 2024-32978
4+
ghsa: 7r3j-qmr4-jfpj
5+
url: https://nvd.nist.gov/vuln/detail/CVE-2024-32978
6+
title: Insecure File Permissions vulnerability in kaminari
7+
date: 2024-05-27
8+
description: |
9+
kaminari versions prior to 0.16.2 are vulnerable to an Insecure File
10+
Permissions vulnerability, where certain files within the kaminari gem have
11+
insecure file permissions.
12+
13+
Versions Affected: < 0.16.2
14+
Fixed Versions: >= 0.16.2
15+
16+
# Impact
17+
18+
An attacker with local access could write arbitrary code to the affected files
19+
resulting in arbitrary code execution.
20+
21+
# Releases
22+
23+
The fixed releases are available at the normal locations.
24+
25+
# Workarounds
26+
27+
Manually set the permissions of the affected files to `644`.
28+
29+
## All Affected Versions:
30+
31+
```
32+
lib/kaminari/models/page_scope_methods.rb
33+
```
34+
35+
## Version 0.15.0 and 0.15.1:
36+
37+
```
38+
spec/models/mongo_mapper/mongo_mapper_spec.rb
39+
```
40+
41+
## Version 0.16.0:
42+
43+
```
44+
spec/models/mongo_mapper/mongo_mapper_spec.rb
45+
spec/models/mongoid/mongoid_spec.rb
46+
```
47+
48+
## Version 0.16.1:
49+
50+
```
51+
spec/models/active_record/scopes_spec.rb
52+
spec/models/mongo_mapper/mongo_mapper_spec.rb
53+
spec/models/mongoid/mongoid_spec.rb
54+
gemfiles/data_mapper_12.gemfile
55+
gemfiles/active_record_32.gemfile
56+
```
57+
58+
cvss_v3: 6.6
59+
patched_versions:
60+
- ">= 0.16.2"
61+
related:
62+
url:
63+
- https://github.com/kaminari/kaminari/security/advisories/GHSA-7r3j-qmr4-jfpj

0 commit comments

Comments
 (0)