Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00cGg3LTVjNDQtcHBwds4AAXfe

kajam allows local users to obtain sensitive information by listing the process

vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.

Permalink: https://github.com/advisories/GHSA-4ph7-5c44-pppv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cGg3LTVjNDQtcHBwds4AAXfe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00042
EPSS Percentile: 0.05089

Identifiers: GHSA-4ph7-5c44-pppv, CVE-2014-4999
References: Blast Radius: 1.0

Affected Packages

rubygems:kajam
Affected Version Ranges: <= 1.0.3.rc2
No known fixed version