GSHA SYNC: 1 brand new advisory

Author: jasnow

gems/request_store/CVE-2024-43791.yml

@@ -0,0 +1,39 @@
+---
+gem: request_store
+cve: 2024-43791
+ghsa: frp2-5qfc-7r8m
+url: https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+title: request_store has Incorrect Default Permissions
+date: 2024-08-23
+description: |
+  ### Impact
+
+  The files published as part of request_store 1.3.2 have 0666
+  permissions, meaning that they are world-writable, which allows
+  local users to execute arbitrary code.
+
+  This version was published in 2017, and most production environments
+  do not allow access for local users, so the chances of this being
+  exploited are very low, given that the vast majority of users will
+  have upgraded, and those that have not, if any, are not likely to
+  be exposed.
+
+  ### Patches
+
+  I am not aware of any other version of the gem with incorrect
+  permissions, so simply upgrading should fix the issue.
+
+  ### Workarounds
+
+  You could chmod the files yourself, I guess.
+cvss_v3: 7.8
+unaffected_versions:
+  - "< 1.3.2"
+patched_versions:
+  - ">= 1.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43791
+    - https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+    - https://cwe.mitre.org/data/definitions/276.html
+    - https://github.com/advisories/GHSA-frp2-5qfc-7r8m