PT-2018-4239 · Ruby · Point-Cli

Larry W. Cashdollar

Published

2018-01-10

Updated

2022-05-14

CVE-2014-4997

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions point-cli gem version 0.0.1

Description The issue allows local users to obtain sensitive information by listing the process, as credentials are placed on the curl command line in the lib/commands/setup.rb file of the point-cli gem for Ruby.

Recommendations For point-cli gem version 0.0.1, consider restricting access to sensitive information and avoid using the lib/commands/setup.rb file until a fix is available. As a temporary workaround, consider modifying the lib/commands/setup.rb file to handle credentials securely, such as using environment variables or a secure storage mechanism for sensitive information.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2014-4997

GHSA-MC8M-X6HF-CW2G

Affected Products

Point-Cli

PT-2018-4239 · Ruby · Point-Cli

CVE-2014-4997

Weakness Enumeration

Related Identifiers

Affected Products

References · 7