Описание
Insecure Default Configuration in airbrake
Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive information.
Recommendation
Update to version 0.4.0 or later, or upgrade from the now-deprecated airbrake module to its replacement, airbrake-js.
Пакеты
airbrake
< 0.4.0
0.4.0
Связанные уязвимости
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.