-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
Copy pathCVE-2022-31071.yml
34 lines (29 loc) · 1.22 KB
/
CVE-2022-31071.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
gem: octopoller
cve: 2022-31071
ghsa: 26qj-cr27-r5c4
url: https://github.com/octokit/octopoller.rb/security/advisories/GHSA-26qj-cr27-r5c4
title: Octopoller gem published with world-writable files
date: 2022-06-15
description: |
### Impact
Version [0.2.0](https://rubygems.org/gems/octopoller/versions/0.2.0)
of the octopoller gem was published containing world-writeable files. Specifically,
the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e.
0666) instead of `rw-r--r--` (i.e. 0644).
This means everyone who is not the owner (Group and Public) with access to the
instance where this release had been installed could modify the world-writable
files from this gem.
Malicious code already present and running on your machine, separate from this
package, could modify the gem’s files and change its behavior during runtime.
### Patches
* octopoller v0.3.0
### Workarounds
Users can use the previous version of the gem [v0.1.0](https://rubygems.org/gems/octopoller/versions/0.1.0).
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.
cvss_v3: 2.5
unaffected_versions:
- "< 0.2.0"
patched_versions:
- ">= 0.3.0"