File tree Expand file tree Collapse file tree 1 file changed +63
-0
lines changed Expand file tree Collapse file tree 1 file changed +63
-0
lines changed Original file line number Diff line number Diff line change
1
+ ---
2
+ gem : kaminari
3
+ cve : 2024-32978
4
+ ghsa : 7r3j-qmr4-jfpj
5
+ url : https://nvd.nist.gov/vuln/detail/CVE-2024-32978
6
+ title : Insecure File Permissions vulnerability in kaminari
7
+ date : 2024-05-27
8
+ description : |
9
+ kaminari versions prior to 0.16.2 are vulnerable to an Insecure File
10
+ Permissions vulnerability, where certain files within the kaminari gem have
11
+ insecure file permissions.
12
+
13
+ Versions Affected: < 0.16.2
14
+ Fixed Versions: >= 0.16.2
15
+
16
+ # Impact
17
+
18
+ An attacker with local access could write arbitrary code to the affected files
19
+ resulting in arbitrary code execution.
20
+
21
+ # Releases
22
+
23
+ The fixed releases are available at the normal locations.
24
+
25
+ # Workarounds
26
+
27
+ Manually set the permissions of the affected files to `644`.
28
+
29
+ ## All Affected Versions:
30
+
31
+ ```
32
+ lib/kaminari/models/page_scope_methods.rb
33
+ ```
34
+
35
+ ## Version 0.15.0 and 0.15.1:
36
+
37
+ ```
38
+ spec/models/mongo_mapper/mongo_mapper_spec.rb
39
+ ```
40
+
41
+ ## Version 0.16.0:
42
+
43
+ ```
44
+ spec/models/mongo_mapper/mongo_mapper_spec.rb
45
+ spec/models/mongoid/mongoid_spec.rb
46
+ ```
47
+
48
+ ## Version 0.16.1:
49
+
50
+ ```
51
+ spec/models/active_record/scopes_spec.rb
52
+ spec/models/mongo_mapper/mongo_mapper_spec.rb
53
+ spec/models/mongoid/mongoid_spec.rb
54
+ gemfiles/data_mapper_12.gemfile
55
+ gemfiles/active_record_32.gemfile
56
+ ```
57
+
58
+ cvss_v3 : 6.6
59
+ patched_versions :
60
+ - " >= 0.16.2"
61
+ related :
62
+ url :
63
+ - https://github.com/kaminari/kaminari/security/advisories/GHSA-7r3j-qmr4-jfpj
You can’t perform that action at this time.
0 commit comments