Skip to main content

Incorrect Permission Assignment for Critical Resource

CVE-2019-18409

Severity High
Score 7.8/10

Summary

The ruby_parser-legacy (aka legacy) gem for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the "ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb" file.

  • LOW
  • LOCAL
  • HIGH
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • HIGH

CWE-732 - Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Advisory Timeline

  • Published