Arbitrary Code Execution Vulnerability in RequestStore Rack (CVE-2017-1234)
CVE-2024-43791

7.8HIGH

Key Information:

Vendor
CVE Published:
23 August 2024

Summary

The RequestStore product by Steve Klabnik has a notable vulnerability due to the insufficient permissions set on its published files in version 1.3.2, which allow for world-writable access. This situation permits local users to execute arbitrary code, posing risks in environments where such access is available. Although this version was released in 2017 and most users have likely upgraded to more secure versions, awareness of this vulnerability is essential for maintaining secure production environments, particularly for those who might still be using the vulnerable version.

Affected Version(s)

request_store = 1.3.2

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.