PT-2018-4234 · Ruby · Cap-Strap

Larry W. Cashdollar

Published

2018-01-10

Updated

2018-03-16

CVE-2014-4992

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions cap-strap gem version 0.1.5

Description The issue allows local users to obtain sensitive information by listing the process, as credentials are placed on the useradd command line in the lib/cap-strap/helpers.rb file of the cap-strap gem for Ruby.

Recommendations For cap-strap gem version 0.1.5, consider updating to a newer version that does not place credentials on the command line, or as a temporary workaround, restrict access to sensitive information that could be exposed through process listing.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-4992

GHSA-PCM6-G2QP-9GW8

Affected Products

Cap-Strap

PT-2018-4234 · Ruby · Cap-Strap

CVE-2014-4992

Weakness Enumeration

Related Identifiers

Affected Products

References · 8