CVE-2024-27456: 
Ruby vulnerability analysis and mitigation

rack-cors (aka Rack CORS Middleware) version 2.0.1 contains an insecure file permission vulnerability where .rb files are distributed with 0666 (world-readable and writable) permissions. This vulnerability was discovered on February 22, 2024, and was assigned CVE-2024-27456. The issue specifically affects the rack-cors gem version 2.0.1, while previous versions do not exhibit this problem (GitHub Issue).

The vulnerability stems from incorrect default permissions (CWE-276) where the .rb files in the gem's lib/rack/cors directory are set with world-writable permissions (666). This includes critical files such as resource.rb, resources.rb, result.rb, and version.rb. The CVSS v3.1 base score is 9.1 (CRITICAL) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (CISA-ADP).

The insecure file permissions could lead to unauthorized information disclosure and data tampering, depending on the deployment environment and usage of the affected files. The vulnerability allows any user to read and modify the files, potentially compromising the security of applications using the affected gem (GitHub Issue).

The recommended mitigation is to use versions other than 2.0.1 of the rack-cors gem. Version 2.0.2 has been released with fixed permissions. For packaged distributions, such as Debian, the vulnerability does not affect their packages as they correctly set the file permissions during the packaging process (Debian Tracker).