RubySec

Providing security resources for the Ruby community

CVE-2024-32978 (kaminari): Insecure File Permissions vulnerability in kaminari

ADVISORIES

GEM

kaminari

SEVERITY

CVSS v3.x: 6.6 (Medium)

PATCHED VERSIONS

  • >= 0.16.2

DESCRIPTION

kaminari versions prior to 0.16.2 are vulnerable to an Insecure File Permissions vulnerability, where certain files within the kaminari gem have insecure file permissions.

Versions Affected: < 0.16.2 Fixed Versions: >= 0.16.2

Impact

An attacker with local access could write arbitrary code to the affected files resulting in arbitrary code execution.

Releases

The fixed releases are available at the normal locations.

Workarounds

Manually set the permissions of the affected files to 644.

All Affected Versions:

lib/kaminari/models/page_scope_methods.rb

Version 0.15.0 and 0.15.1:

spec/models/mongo_mapper/mongo_mapper_spec.rb

Version 0.16.0:

spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb

Version 0.16.1:

spec/models/active_record/scopes_spec.rb
spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb
gemfiles/data_mapper_12.gemfile
gemfiles/active_record_32.gemfile

RELATED

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories