GHSA-94cq-7ccq-cmcm

Source

https://github.com/advisories/GHSA-94cq-7ccq-cmcm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-94cq-7ccq-cmcm/GHSA-94cq-7ccq-cmcm.json

Aliases

CVE-2014-5002

Published

2018-01-24T17:10:45Z

Modified

2024-02-16T08:18:11.775966Z

Details

The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.

As of version 1.0.0, lynx no longer supports a --password option. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line.

References

https://nvd.nist.gov/vuln/detail/CVE-2014-5002
https://github.com/panthomakos/lynx/issues/3
https://github.com/panthomakos/lynx
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lynx/CVE-2014-5002.yml
http://www.openwall.com/lists/oss-security/2014/07/07/23
http://www.openwall.com/lists/oss-security/2014/07/17/5
http://www.vapid.dhs.org/advisories/lynx-0.2.0.html

Affected packages

RubyGems / lynx

Package

Name: lynx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.0.0

Affected versions

0.*

0.0.1

0.0.2

0.1.0

0.2.0

0.2.1

0.3.0

0.4.0

Database specific

{
    "last_known_affected_version_range": "<= 0.4.0"
}