Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cGg3LTVjNDQtcHBwds4AAXfe
kajam allows local users to obtain sensitive information by listing the process
vendor/plugins/dataset/lib/dataset/database/mysql.rb
in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cGg3LTVjNDQtcHBwds4AAXfe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-4ph7-5c44-pppv, CVE-2014-4999
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-4999
- http://www.openwall.com/lists/oss-security/2014/07/07/19
- http://www.openwall.com/lists/oss-security/2014/07/17/5
- http://www.vapid.dhs.org/advisories/kajam-1.0.3.rc2.html
- https://github.com/advisories/GHSA-4ph7-5c44-pppv
Affected Packages
rubygems:kajam
Affected Version Ranges: <= 1.0.3.rc2No known fixed version