From 55e3c81b03756ea63ca3d50c516f783ad65f30cf Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Wed, 15 Jun 2022 22:31:57 +0000 Subject: [PATCH] Add CVE-2022-31072 for GHSA-g28x-pgr3-qqx6 Add CVE-2022-31072 for GHSA-g28x-pgr3-qqx6 --- 2022/31xxx/CVE-2022-31072.json | 82 +++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 6 deletions(-) diff --git a/2022/31xxx/CVE-2022-31072.json b/2022/31xxx/CVE-2022-31072.json index 6c789bbbc82..1bab2f494c9 100644 --- a/2022/31xxx/CVE-2022-31072.json +++ b/2022/31xxx/CVE-2022-31072.json @@ -1,18 +1,88 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31072", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Octokit gem published with world-writable files" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "octokit.rb", + "version": { + "version_data": [ + { + "version_value": ">= 4.23.0, < 4.25.0" + } + ] + } + } + ] + }, + "vendor_name": "octokit" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.\n\n" } ] + }, + "impact": { + "cvss": { + "attackComplexity": "HIGH", + "attackVector": "LOCAL", + "availabilityImpact": "NONE", + "baseScore": 2.5, + "baseSeverity": "LOW", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-276: Incorrect Default Permissions" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6", + "refsource": "CONFIRM", + "url": "https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6" + }, + { + "name": "https://github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55", + "refsource": "MISC", + "url": "https://github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55" + } + ] + }, + "source": { + "advisory": "GHSA-g28x-pgr3-qqx6", + "discovery": "UNKNOWN" } } \ No newline at end of file