PT-2019-15394 · Ruby · Ruby Parser-Legacy+1

Fwininger

Published

2019-10-24

Updated

2019-10-30

CVE-2019-18409

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ruby parser-legacy gem version 1.0.0 brakeman gem versions 4.5.0 through 4.7.0

Description The issue allows local privilege escalation due to world-writable files. A local user can insert malicious code into the ruby parser-legacy-1.0.0/lib/ruby parser/legacy/ruby parser.rb file, for example, when the brakeman gem with a legacy dependency is used.

Recommendations For ruby parser-legacy gem version 1.0.0, update to a version that fixes the world-writable files issue. For brakeman gem versions 4.5.0 through 4.7.0, consider disabling the dependency on the ruby parser-legacy gem until a patch is available.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2019-18409

GHSA-HHWC-8G49-J8JX

Affected Products

Brakeman

Ruby Parser-Legacy

PT-2019-15394 · Ruby · Ruby Parser-Legacy+1

CVE-2019-18409

Weakness Enumeration

Related Identifiers

Affected Products

References · 7