Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14Mmg4LXFtajQtZzYyZs4AA6Fh
ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files.
The Ruby One Time Password library (ROTP) is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Users should patch to version 6.3.0. Users unable to patch may correct file permissions after installation.
Permalink: https://github.com/advisories/GHSA-x2h8-qmj4-g62fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14Mmg4LXFtajQtZzYyZs4AA6Fh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-x2h8-qmj4-g62f, CVE-2024-28862
References:
- https://github.com/mdp/rotp/security/advisories/GHSA-x2h8-qmj4-g62f
- https://nvd.nist.gov/vuln/detail/CVE-2024-28862
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rotp/CVE-2024-28862.yml
- https://github.com/advisories/GHSA-x2h8-qmj4-g62f
Blast Radius: 18.5
Affected Packages
rubygems:rotp
Dependent packages: 58Dependent repositories: 3,073
Downloads: 72,893,923 total
Affected Version Ranges: >= 6.2.1, < 6.3.0
Fixed in: 6.3.0
All affected versions: 6.2.1, 6.2.2
All unaffected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.5.0, 1.6.0, 1.6.1, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 4.0.0, 4.0.2, 4.1.0, 5.0.0, 5.1.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0