2.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31071

GHSA ID

GHSA-26qj-cr27-r5c4

EPSS Score

0.24909%

CWE

CWE-276

Published

6/15/2022

Updated

7/10/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31071

CVE-2022-31071: Octopoller gem published with world-writable files

Impact

Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644).

This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime.

Patches

octopoller 0.3.0

Workarounds

Users can use the previous version of the gem v0.1.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

(GitHub Advisory)

2.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-31071

GHSA ID

GHSA-26qj-cr27-r5c4

EPSS Score

0.24909%

CWE

CWE-276

Published

6/15/2022

Updated

7/10/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
octopoller	rubygems	= 0.2.0	0.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect file permissions (0666 instead of 0644) during the gem packaging process, not from specific functions in the codebase. The root cause was in the build/release automation scripts (script/package and script/release) which lacked proper permission validation. The fix involved adding a new validation script (script/validate) to check file permissions before release. There are no specific application logic functions in the Ruby code that directly caused this vulnerability - it was an infrastructure/process issue in the packaging workflow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t V*rsion [*.*.*](*ttps://ru*y**ms.or*/**ms/o*topoll*r/v*rsions/*.*.*) o* t** o*topoll*r **m w*s pu*lis*** *ont*inin* worl*-writ***l* *il*s. Sp**i*i**lly, t** **m w*s p**k** wit* *il*s **vin* t**ir p*rmissions s*t to `-rw-rw-rw-` (i.*. ****

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t *il* p*rmissions (**** inst*** o* ****) *urin* t** **m p**k**in* pro**ss, not *rom sp**i*i* *un*tions in t** *o****s*. T** root **us* w*s in t** `*uil*/r*l**s*` *utom*tion s*ripts (`s*ript/p**k***` *n* `s*ript/r

2.5

Basic Information

Concerned about an active attack path?

CVE-2022-31071: Octopoller gem published with world-writable files

Impact

Patches

Workarounds

2.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI