CVE-2024-27456

Vulnerability

The rack-cors Ruby gem, up to version 2.0.1, distributes its .rb files with overly permissive file permissions of 0666 (world-readable and world-writable) [1][4]. This deviates from the secure default of 0644 seen in previous versions like 2.0.0, where files were only group-readable and owner-writable [4]. The issue was introduced in the 2.0.1 release, as confirmed by both the public issue tracker and the project's changelog [3][4].

Exploitation

Exploitation requires local access to a system where the 2.0.1 gem is installed. An attacker with any local user account—not necessarily root—can overwrite the gem's source files (e.g., resource.rb) or read their contents [4]. No authentication beyond local shell access is needed. The attack surface is the filesystem; no network vector is involved.

Impact

A local attacker with write access to these files can inject arbitrary Ruby code into the rack-cors middleware. Since the gem runs within the application's process (e.g., a Rails server), this code executes with the application's privileges, potentially leading to full compromise of the web application and its data [4]. Read access alone could expose sensitive logic or configuration embedded in the source files.

Mitigation

The rack-cors maintainers addressed the issue in version 2.0.2, released on 2024-03-04, by fixing the file permission issue [3]. Users should immediately upgrade to >= 2.0.2. There is no known workaround, as manually correcting permissions after installation may not persist across gem updates nor correct the permissions of files extracted during gem installation.