GHSA-94cq-7ccq-cmcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-94cq-7ccq-cmcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-94cq-7ccq-cmcm/GHSA-94cq-7ccq-cmcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-94cq-7ccq-cmcm
- Aliases
-
- CVE-2014-5002
- Published
- 2018-01-24T17:10:45Z
- Modified
- 2024-02-16T08:18:11.775966Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- lynx doesn't properly sanitize user input and exposes database password to unauthorized users
- Details
-
The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
As of version 1.0.0, lynx no longer supports a
--passwordoption. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line. - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:27:24Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-5002
- https://github.com/panthomakos/lynx/issues/3
- https://github.com/panthomakos/lynx
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lynx/CVE-2014-5002.yml
- http://www.openwall.com/lists/oss-security/2014/07/07/23
- http://www.openwall.com/lists/oss-security/2014/07/17/5
- http://www.vapid.dhs.org/advisories/lynx-0.2.0.html
Affected packages
RubyGems / lynx
Package
- Name
- lynx
- Purl
- pkg:gem/lynx