Strix
26.1K

CVE-2024-43791

HIGHCVSS 7.8/10EPSS 0.19%

Last modified

CVE-2024-43791 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. EPSS estimates a 0.19% chance of exploitation in the next 30 days.

Description

RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.

Metrics

CVSS 3.1
7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.19%

9.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SteveklabnikRequest Store1.3.2

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-43791?
RequestStore provides per-request global storage for Rack. The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed.
How severe is CVE-2024-43791?
CVE-2024-43791 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.19% probability of exploitation in the next 30 days.
How do I fix CVE-2024-43791?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-43791?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST