CVE-2019-17383: netaddr before 1.5.3 and 2.0.4 has Incorrect Default Permissions
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53576%
CWE
Published
10/14/2019
Updated
10/23/2024
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
netaddr | rubygems | >= 2.0.0, < 2.0.4 | 2.0.4 |
netaddr | rubygems | < 1.5.3 | 1.5.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incorrect file permissions set during gem installation, not from specific code functions. The root cause was that files in the repository had 0755 permissions (world-executable), which were inherited during gem packaging. When installed, these permissions allowed world-writeable access (0777 in some environments). The fix involved changing file modes to 0644 in the repository (commit 3aac46c). Since this is a packaging/filesystem permission issue rather than a vulnerability in application logic or specific functions, no code functions can be identified as vulnerable with high confidence.