GHSA-x2h8-qmj4-g62f

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2h8-qmj4-g62f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-x2h8-qmj4-g62f/GHSA-x2h8-qmj4-g62f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x2h8-qmj4-g62f
Aliases
  • CVE-2024-28862
Published
2024-03-18T17:21:46Z
Modified
2024-03-19T18:46:07.051349Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.
Details

The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Database specific
{
    "nvd_published_at": "2024-03-16T00:15:07Z",
    "cwe_ids": [
        "CWE-276"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T17:21:46Z"
}
References

Affected packages

RubyGems / rotp

Package

Name
rotp
Purl
pkg:gem/rotp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.1
Fixed
6.3.0

Affected versions

6.*

6.2.1
6.2.2