7.8

CVE-2024-43791

EPSS 0.06%
Veröffentlicht 23.08.2024 15:15:16
Zuletzt bearbeitet 12.09.2024 18:26:31
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Steveklabnik ≫ Request Store Version1.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.189

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-43791

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-43791

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-43791

EUVD