← Back

CVE-2024-43791

nvd nist
Published: Aug 23, 2024Modified: Sep 12, 2024

JSON object

Loading...
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: NVD

Description

RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.

Affected (1)

Steveklabnik
1 product
Request Store
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Request Store
Version 1.3.2

Related CWEs

CWE-276
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.

References (1)

Source: security-advisories@github.com
Third Party Advisory

Timeline

No history available yet.