GHSA-fqrr-rrwg-69pv

Suggest an improvement
Source
https://github.com/advisories/GHSA-fqrr-rrwg-69pv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-fqrr-rrwg-69pv/GHSA-fqrr-rrwg-69pv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fqrr-rrwg-69pv
Aliases
  • CVE-2014-1233
Published
2017-10-24T18:33:36Z
Modified
2024-02-16T08:09:35.039589Z
Summary
Local API Login Credentials Disclosure in paratrooper-pingdom
Details

The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.

Vulnerable Code:

From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb

def setup(options = {})
  %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=true" -H "App-Key: #{app_key}" -u "#{username}:#{password}"]        
end

def teardown(options = {})
  %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=false" -H "App-Key: #{app_key}" -u "#{username}:#{password}"]        
end

A malicious user could monitor the process tree to steal the API key, username and password for the API login.

References

Affected packages

RubyGems / paratrooper-pingdom

Package

Name
paratrooper-pingdom
Purl
pkg:gem/paratrooper-pingdom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.0

Affected versions

1.*

1.0.0