Homepage
About Snyk

Insecure Permissions Affecting octokit package, versions >=4.23.0, <4.25.0

Severity

 Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-OCTOKIT-2928761
  • published 22 Aug 2022
  • disclosed 16 Jun 2022
  • credit nickfloyd
Report a new vulnerability Found a mistake?

Introduced: 16 Jun 2022

CVE-2022-31072 Open this link in a new tab
CWE-275 Open this link in a new tab

How to fix?

Upgrade octokit to version 4.25.0 or higher.

Overview

Affected versions of this package are vulnerable to Insecure Permissions due to the gem file containing world-writeable files. This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Workaround:

Users that can't upgrade to version 4.25.0 can revert to version 4.22.0. Alternatively, users can modify the file permissions manually.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
2.5 low
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

3.3 low