G-Rath

**Name of the Vulnerable Software and Affected Versions** request store version 1.3.2 **Description** The files published as part of request store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed. **Recommendations** To resolve the issue, simply upgrading to a newer version should fix the problem, as there is no other version of the gem with incorrect permissions. Alternatively, you could chmod the files yourself as a temporary workaround. Upgrading to version 1.4.0 is specifically recommended to mitigate risks.

**Name of the Vulnerable Software and Affected Versions** Kaminari versions prior to 0.16.2 **Description** A security issue involving insecure file permissions has been identified in the Kaminari pagination library for Ruby on Rails. This issue is of moderate severity due to the potential for unauthorized write access to particular Ruby files managed by the library, which could lead to the alteration of application behavior or data integrity issues. **Recommendations** For versions prior to 0.16.2, update to Kaminari version 0.16.2 or later, where file permissions have been adjusted to enhance security. If upgrading is not feasible immediately, manually adjust the file permissions on the server to restrict access, setting them to 644. Consider reviewing and adjusting the file permissions for particular Ruby files in Kaminari to ensure they are only accessible by authorized users.

**Name of the Vulnerable Software and Affected Versions** ROTP versions prior to 6.3.0 **Description** The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. **Recommendations** For versions prior to 6.3.0, users should patch to version 6.3.0. For users unable to patch, correct file permissions after installation.

**Name of the Vulnerable Software and Affected Versions** Resque versions prior to 2.1.0 **Description** The issue is related to reflected Cross Site Scripting (XSS) through the `current queue` parameter in the path of the queues endpoint. This allows for potential exploitation by manipulating the endpoint path. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. The technical details about exploitation include the use of the `current queue` parameter in the queues endpoint. **Recommendations** For Resque versions prior to 2.1.0, update to version 2.1.0 to resolve the issue. As a temporary workaround, consider avoiding clicks on 3rd party or untrusted links to the resque-web interface until the application is patched.