Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk0Y3EtN2NjcS1jbWNt
lynx doesn't properly sanitize user input and exposes database password to unauthorized users
The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
As of version 1.0.0, lynx no longer supports a --password option. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk0Y3EtN2NjcS1jbWNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 7 years ago
Updated: about 1 year ago
CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-94cq-7ccq-cmcm, CVE-2014-5002
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-5002
- https://github.com/panthomakos/lynx/issues/3
- http://www.openwall.com/lists/oss-security/2014/07/07/23
- http://www.openwall.com/lists/oss-security/2014/07/17/5
- http://www.vapid.dhs.org/advisories/lynx-0.2.0.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lynx/CVE-2014-5002.yml
- https://github.com/advisories/GHSA-94cq-7ccq-cmcm
Blast Radius: 13.3
Affected Packages
rubygems:lynx
Dependent packages: 0Dependent repositories: 51
Downloads: 56,068 total
Affected Version Ranges: <= 0.4.0
Fixed in: 1.0.0
All affected versions: 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.4.0
All unaffected versions: 1.0.0, 1.1.0, 1.1.1