oss-sec mailing list archives

Re: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

From: cve-assign () mitre org
Date: Wed, 8 Jan 2014 12:56:11 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

curl ... -H "App-Key: {app_key}" -u " {username}:#{password}"

A malicious user could monitor the process tree to steal the API key,
username and password for the API login.


Use CVE-2014-1233.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzZDoAAoJEKllVAevmvmsY4cH/Rr4UkVUc8uqZQ/zAhlT76DX
+bbmSJRrdZbZR1MaRPao16EWuLKeC4eSQRl6UADX9pC0rxh6Wq3+aaZK66T8pwTp
Qgk8fn8nxZ9SJpTheYjDJkIbpQ2SmzMNd+DUUXxNQ/HrXO6wv/gDMK2Z1hOBYk6f
45ue9WAmwXjBnVbnizIs4okC3ZcSE1+H4Djpq+c0EKacan9IxEMVACB95Op0049V
B33cWdUrvKxTjaELtS/oRgOUuaTx+093wqMP3PuDSSHhZ51DiqGQ7+qLAVjEJTvb
ri/fQECLxyWSyIoiEDnpFCAdTaGVpuJEq+lVgqYsphBwAlvt29USM0LXH7HoMtw=
=79GU
-----END PGP SIGNATURE-----

Current thread:

paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials Larry W. Cashdollar (Jan 07)
- Re: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials cve-assign (Jan 08)