PT-2018-4242 · Ruby · Lawn-Login Gem

Larry W. Cashdollar

Publicado

2018-01-10

Atualizado

2018-01-30

CVE-2014-5000

CVSS v3.1

7.8

Alta

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions lawn-login gem version 0.0.7

Description The issue concerns the login function in the lawn-login gem for Ruby, which places credentials on the curl command line. This allows local users to obtain sensitive information by listing the process. The lib/lawn.rb file is specifically affected.

Recommendations For version 0.0.7, consider modifying the login function to avoid placing credentials on the command line, or restrict access to process listings to minimize the risk of exploitation. As a temporary workaround, consider disabling the login function until a patch is available.

Exploit

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2014-5000

GHSA-RHGQ-VV9X-J4P5

Produtos afetados

Lawn-Login Gem

PT-2018-4242 · Ruby · Lawn-Login Gem

CVE-2014-5000

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8