CVE-2022-31072

Name of the Vulnerable Software and Affected Versions Octokit versions 4.23.0 through 4.24.0

Description The issue concerns the Octokit gem, a Ruby toolkit for the GitHub API, where versions 4.23.0 and 4.24.0 were published with world-writeable files. The gem's files had permissions set to -rw-rw-rw- (i.e., 0666) instead of rw-r--r-- (i.e., 0644), allowing anyone with access to the instance where the release was installed to modify these files. This could potentially enable malicious code already present on a machine to alter the gem's behavior during runtime.

Recommendations For versions 4.23.0 and 4.24.0, consider modifying the file permissions manually to rw-r--r-- (i.e., 0644) until you are able to upgrade to the latest version. Alternatively, for versions 4.23.0 and 4.24.0, use the previous version of the gem, v4.22.0, as a temporary workaround. For a permanent fix, upgrade to Octokit 4.25.0.