CVE-2024-43791

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-43791
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43791.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-43791
Aliases
Related
Published
2024-08-23T15:15:16Z
Modified
2024-09-13T00:50:41.127329Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.

References

Affected packages

Git / github.com/steveklabnik/request_store

Affected ranges

Type
GIT
Repo
https://github.com/steveklabnik/request_store
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2b5e071fe93243b9dbca9df04dc3798b99be0c04

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2