UBUNTU-CVE-2022-31072

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2022-31072

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-31072.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2022-31072

Related

CVE-2022-31072

Published

2022-06-15T23:15:00Z

Modified

2024-10-15T14:09:57Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Octokit is a Ruby toolkit for the GitHub API. Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem. This issue is patched in Octokit 4.25.0. Two workarounds are available. Users can use the previous version of the gem, v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

References

Affected packages

Ubuntu:Pro:16.04:LTS / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.8.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.7.0-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.13.0-1

4.13.0+gh-1

4.15.0-1

4.16.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.17.0-2

4.17.0-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.25.1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / ruby-octokit

Package

Name: ruby-octokit
Purl: pkg:deb/ubuntu/ruby-octokit?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.20.0-1

4.25.1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}