Nickfloyd

**Name of the Vulnerable Software and Affected Versions** octokit/webhooks versions 9.26.0 through 9.26.2 octokit/webhooks versions 10.9.0 through 10.9.1 octokit/webhooks versions 11.1.0 through 11.1.1 octokit/webhooks versions 12.0.0 through 12.0.3 **Description** The issue is caused by a problem with error handling in the @octokit/webhooks library, where the error can be undefined in some cases, resulting in an uncaught exception that ends the nodejs process. This problem was encountered during a pentest and is specifically related to the octokit/webhooks library, a dependency of Probot, a framework for building Github Apps. **Recommendations** For octokit/webhooks versions 9.26.0 through 9.26.2, update to version 9.26.3. For octokit/webhooks versions 10.9.0 through 10.9.1, update to version 10.9.2. For octokit/webhooks versions 11.1.0 through 11.1.1, update to version 11.1.2. For octokit/webhooks versions 12.0.0 through 12.0.3, update to version 12.0.4. As a general recommendation, it is advised to upgrade to the latest version of octokit/webhooks.js or use one of the updated backported versions.

**Name of the Vulnerable Software and Affected Versions** octopoller version 0.2.0 **Description** The issue arises from the octopoller gem being packed with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--` (i.e. 0644) in version 0.2.0. This means that everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. Malicious code already present and running on the machine could modify the gem’s files and change its behavior during runtime. **Recommendations** For version 0.2.0, consider modifying the file permissions manually until you are able to upgrade to the latest version, which is 0.3.0. Alternatively, downgrade to version 0.1.0 until the latest version is available. As a temporary workaround, manually set the file permissions to `rw-r--r--` (i.e. 0644) to prevent unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** Octokit versions 4.23.0 through 4.24.0 **Description** The issue concerns the Octokit gem, a Ruby toolkit for the GitHub API, where versions 4.23.0 and 4.24.0 were published with world-writeable files. The gem's files had permissions set to `-rw-rw-rw-` (i.e., 0666) instead of `rw-r--r--` (i.e., 0644), allowing anyone with access to the instance where the release was installed to modify these files. This could potentially enable malicious code already present on a machine to alter the gem's behavior during runtime. **Recommendations** For versions 4.23.0 and 4.24.0, consider modifying the file permissions manually to `rw-r--r--` (i.e., 0644) until you are able to upgrade to the latest version. Alternatively, for versions 4.23.0 and 4.24.0, use the previous version of the gem, v4.22.0, as a temporary workaround. For a permanent fix, upgrade to Octokit 4.25.0.