Описание
lynx doesn't properly sanitize user input and exposes database password to unauthorized users
The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
As of version 1.0.0, lynx no longer supports a --password option. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2014-5002
- https://github.com/panthomakos/lynx/issues/3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lynx/CVE-2014-5002.yml
- http://www.openwall.com/lists/oss-security/2014/07/07/23
- http://www.openwall.com/lists/oss-security/2014/07/17/5
- http://www.vapid.dhs.org/advisories/lynx-0.2.0.html
Пакеты
Наименование
lynx
rubygems
Затронутые версииВерсия исправления
<= 0.4.0
1.0.0
Связанные уязвимости
CVSS3: 7.8
nvd
около 8 лет назад
The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.