Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: brakeman
date: 2019-10-24
url: https://brakemanscanner.org/blog/2019/10/14/brakeman-4-dot-7-dot-1-released
cve: 2019-18409
title: brakeman world writable files allow local privilege escalation
description: |
  The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local
  privilege escalation because of world-writable files. For example,
  if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used,
  a local user can insert malicious code into the
  ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.
cvss_v2: '4.6'
cvss_v3: '7.8'
unaffected_versions:
- "<= 4.4.0"
patched_versions:
- ">= 4.7.1"
related:
  url: '["https://github.com/zenspider/ruby_parser-legacy/issues/1"]'