GHSA-94cq-7ccq-cmcm

Suggest an improvement
Source
https://github.com/advisories/GHSA-94cq-7ccq-cmcm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-94cq-7ccq-cmcm/GHSA-94cq-7ccq-cmcm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-94cq-7ccq-cmcm
Aliases
  • CVE-2014-5002
Published
2018-01-24T17:10:45Z
Modified
2023-11-01T04:45:42.720862Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
lynx doesn't properly sanitize user input and exposes database password to unauthorized users
Details

The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.

As of version 1.0.0, lynx no longer supports a --password option. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:27:24Z"
}
References

Affected packages

RubyGems / lynx

Package

Name
lynx
Purl
pkg:gem/lynx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0

Affected versions

0.*

0.0.1
0.0.2
0.1.0
0.2.0
0.2.1
0.3.0
0.4.0

Database specific

{
    "last_known_affected_version_range": "<= 0.4.0"
}