Skip to content

Insecure File Permissions Vulnerability

Moderate
yuki24 published GHSA-7r3j-qmr4-jfpj May 27, 2024

Package

bundler kaminari (RubyGems)

Affected versions

0.16.1, 0.16.0, 0.15.1, and 0.15.0

Patched versions

0.16.2 or later

Description

A moderate severity security vulnerability has been identified in the Kaminari pagination library for Ruby on Rails, concerning insecure file permissions. This advisory outlines the vulnerability, affected versions, and provides guidance for mitigation.

Impact

This vulnerability is of moderate severity due to the potential for unauthorized write access to particular Ruby files managed by the library. Such access could lead to the alteration of application behavior or data integrity issues.

Resolution

Those who use the gem install command, such as gem install kaminari -v 0.16.1, gem unpack kaminari -v 0.16.1, or bundle install to download the package would not be affected and no action is required.

Those who manually download and decompressing the affected versions are advised to update to 0.16.2 or later version of Kaminari where file permissions have been adjusted to enhance security.

Workarounds

If upgrading is not feasible immediately, manually adjusting the file permissions on the server to 644 to restrict access is a viable interim measure.

All Affected Versions:

lib/kaminari/models/page_scope_methods.rb

In addition to the previously mentioned files, security tools like AWS Inspector might also identify other files as unsafe. These files, although not loaded or used at runtime, may still be flagged. To avoid any potential confusion in your logs and ensure system integrity, we recommend updating the permissions for these files as well. This proactive measure helps maintain a clean security posture and minimizes unnecessary alerts.

Version 0.15.0 and 0.15.1:

spec/models/mongo_mapper/mongo_mapper_spec.rb

Version 0.16.0:

spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb

Version 0.16.1:

spec/models/active_record/scopes_spec.rb
spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb
gemfiles/data_mapper_12.gemfile
gemfiles/active_record_32.gemfile

References

Official Kaminari repository link (this page)

Acknowledgements

We thank Gareth Jones for discovering and reporting this issue. Their diligent work is instrumental in our ongoing efforts to maintain and improve software security.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2024-32978

Weaknesses

No CWEs

Credits