7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-18409

GHSA ID

GHSA-hhwc-8g49-j8jx

EPSS Score

0.30434%

CWE

CWE-732

Published

10/25/2019

Updated

8/25/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-18409

CVE-2019-18409: Ruby_parser-legacy Incorrect Permission Assignment for Critical Resource

The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.

(GitHub Advisory)

7.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-18409

GHSA ID

GHSA-hhwc-8g49-j8jx

EPSS Score

0.30434%

CWE

CWE-732

Published

10/25/2019

Updated

8/25/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ruby_parser-legacy	rubygems	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect file permissions (world-writable files) in the ruby_parser-legacy gem, not from specific function implementations. The advisory explicitly identifies file paths like 'lib/ruby_parser/legacy/ruby_parser.rb' as being vulnerable to modification, but does not point to any specific functions within those files as being inherently flawed. The core issue is the installation-time file permissions (CWE-732), not a coding error in a particular function. No functions are identified as vulnerable with high confidence because the exploitability comes from filesystem permissions rather than function logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ru*y_p*rs*r-l****y (*k* l****y) **m *.*.* *or Ru*y *llows lo**l privil*** *s**l*tion ****us* o* worl*-writ**l* *il*s. *or *x*mpl*, i* t** *r*k*m*n **m (w*i** **s * l****y **p*n**n*y) *.*.* t*rou** *.*.* is us**, * lo**l us*r **n ins*rt m*li*ious

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *il* p*rmissions (worl*-writ**l* *il*s) in t** ru*y_p*rs*r-l****y **m, not *rom sp**i*i* *un*tion impl*m*nt*tions. T** **visory *xpli*itly i**nti*i*s *il* p*t*s lik* 'li*/ru*y_p*rs*r/l****y/ru*y_p*rs*r.r*' *s **

7.8

Basic Information

Concerned about an active attack path?

CVE-2019-18409: Ruby_parser-legacy Incorrect Permission Assignment for Critical Resource

7.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI