CVE-2024-28862 – rotp

Package

Manager: gem
Name: rotp
Vulnerable Version: >=6.2.1 <6.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00029 pctl0.06678

Details

ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files. The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.

Metadata

Created: 2024-03-18T17:21:46Z
Modified: 2024-03-19T18:29:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-x2h8-qmj4-g62f/GHSA-x2h8-qmj4-g62f.json
CWE IDs: ["CWE-276"]
Alternative ID: GHSA-x2h8-qmj4-g62f
Finding: F159
Auto approve: 1