CVE-2019-18409

Published: Oct 24, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

Affected (1)

Products: Zenspider: Ruby Parser Legacy

1 product

Ruby Parser Legacy

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zenspider Ruby Parser Legacy	Version 1.0.0

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (2)

https://github.com/zenspider/ruby_parser-legacy/issues/1

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/zenspider/ruby_parser-legacy/issues/1

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.