Updated advisory posts against rubysec/ruby-advisory-db@33907c1

Author: jasnow

advisories/_posts/2024-08-23-CVE-2024-43791.md

@@ -0,0 +1,46 @@
+---
+layout: advisory
+title: 'CVE-2024-43791 (request_store): request_store has Incorrect Default Permissions'
+comments: false
+categories:
+- request_store
+advisory:
+  gem: request_store
+  cve: 2024-43791
+  ghsa: frp2-5qfc-7r8m
+  url: https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+  title: request_store has Incorrect Default Permissions
+  date: 2024-08-23
+  description: |
+    ### Impact
+
+    The files published as part of request_store 1.3.2 have 0666
+    permissions, meaning that they are world-writable, which allows
+    local users to execute arbitrary code.
+
+    This version was published in 2017, and most production environments
+    do not allow access for local users, so the chances of this being
+    exploited are very low, given that the vast majority of users will
+    have upgraded, and those that have not, if any, are not likely to
+    be exposed.
+
+    ### Patches
+
+    I am not aware of any other version of the gem with incorrect
+    permissions, so simply upgrading should fix the issue.
+
+    ### Workarounds
+
+    You could chmod the files yourself, I guess.
+  cvss_v3: 7.8
+  unaffected_versions:
+  - "< 1.3.2"
+  patched_versions:
+  - ">= 1.4.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43791
+    - https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+    - https://cwe.mitre.org/data/definitions/276.html
+    - https://github.com/advisories/GHSA-frp2-5qfc-7r8m
+---