PT-2018-4235 · Openssl+1 · Openssl+2

Larry W. Cashdollar

Published

2018-01-10

Updated

2022-05-14

CVE-2014-4993

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions backup-agoddard gem version 3.0.28 backup checksum gem version 3.0.23

Description The issue allows local users to obtain sensitive information by listing the process, as credentials are placed on the openssl command line in the lib/backup/cli/utility.rb file of the affected gems.

Recommendations For backup-agoddard gem version 3.0.28, consider updating to a version where the credentials are not placed on the openssl command line. For backup checksum gem version 3.0.23, consider updating to a version where the credentials are not placed on the openssl command line. As a temporary workaround, consider restricting access to the lib/backup/cli/utility.rb file to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-4993

GHSA-WR5J-Q359-6VR2

Affected Products

Backup-Agoddard

Backup Checksum

Openssl

PT-2018-4235 · Openssl+1 · Openssl+2

CVE-2014-4993

Weakness Enumeration

Related Identifiers

Affected Products

References · 8