From e9ddb3acef5f04bba7d8ed574feb5004bd743d8f Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Sat, 24 Aug 2024 07:57:05 -0400
Subject: [PATCH] GSHA SYNC: 1 brand new advisory

---
 gems/request_store/CVE-2024-43791.yml | 39 +++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 gems/request_store/CVE-2024-43791.yml

diff --git a/gems/request_store/CVE-2024-43791.yml b/gems/request_store/CVE-2024-43791.yml
new file mode 100644
index 0000000000..345391e0e4
--- /dev/null
+++ b/gems/request_store/CVE-2024-43791.yml
@@ -0,0 +1,39 @@
+---
+gem: request_store
+cve: 2024-43791
+ghsa: frp2-5qfc-7r8m
+url: https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+title: request_store has Incorrect Default Permissions
+date: 2024-08-23
+description: |
+  ### Impact
+
+  The files published as part of request_store 1.3.2 have 0666
+  permissions, meaning that they are world-writable, which allows
+  local users to execute arbitrary code.
+
+  This version was published in 2017, and most production environments
+  do not allow access for local users, so the chances of this being
+  exploited are very low, given that the vast majority of users will
+  have upgraded, and those that have not, if any, are not likely to
+  be exposed.
+
+  ### Patches
+
+  I am not aware of any other version of the gem with incorrect
+  permissions, so simply upgrading should fix the issue.
+
+  ### Workarounds
+
+  You could chmod the files yourself, I guess.
+cvss_v3: 7.8
+unaffected_versions:
+  - "< 1.3.2"
+patched_versions:
+  - ">= 1.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-43791
+    - https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m
+    - https://cwe.mitre.org/data/definitions/276.html
+    - https://github.com/advisories/GHSA-frp2-5qfc-7r8m