Miggo Logo

CVE-2019-17383: netaddr before 1.5.3 and 2.0.4 has Incorrect Default Permissions

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.53576%
Published
10/14/2019
Updated
10/23/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
netaddrrubygems>= 2.0.0, < 2.0.42.0.4
netaddrrubygems< 1.5.31.5.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incorrect file permissions set during gem installation, not from specific code functions. The root cause was that files in the repository had 0755 permissions (world-executable), which were inherited during gem packaging. When installed, these permissions allowed world-writeable access (0777 in some environments). The fix involved changing file modes to 0644 in the repository (commit 3aac46c). Since this is a packaging/filesystem permission issue rather than a vulnerability in application logic or specific functions, no code functions can be identified as vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** n*t***r **m ***or* *.*.* *n* *.*.* *or Ru*y **s mis*on*i*ur** *il* p*rmissions, su** t**t * **m inst*ll m*y r*sult in **** p*rmissions in t** t*r**t *il*syst*m.

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *il* p*rmissions s*t *urin* **m inst*ll*tion, not *rom sp**i*i* *o** *un*tions. T** root **us* w*s t**t *il*s in t** r*pository *** **** p*rmissions (worl*-*x**ut**l*), w*i** w*r* in**rit** *urin* **m p**k**in*.