Lucene search

GitHub Advisory DatabaseGHSA-RHGQ-VV9X-J4P5

HistoryJan 22, 2018 - 11:45 p.m.

lawn-login exposes database password to unauthorized users

2018-01-2223:45:33

CWE-200

GitHub Advisory Database

github.com

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.

Affected configurations

Vulners

Node

lawnloginMatch0.0.7

CPENameOperatorVersion
lawn-logineq0.0.7

CPE	Name	Operator	Version
	lawn-login	eq	0.0.7

References

github.com/advisories/GHSA-rhgq-vv9x-j4p5

github.com/rubysec/ruby-advisory-db/blob/master/gems/lawn-login/CVE-2014-5000.yml

nvd.nist.gov/vuln/detail/CVE-2014-5000

web.archive.org/web/20200229060607/www.vapid.dhs.org/advisories/lawn-login-0.0.7.html

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

5.1%

JSON

Related for GHSA-RHGQ-VV9X-J4P5