Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2014-1234
Vulnerability from gsd - Updated: 2014-01-08 00:00Details
Paratrooper-newrelic Gem for Ruby contains a flaw in
/lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes
the API key, allowing a local attacker to gain access to it by monitoring the
process tree.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-1234",
"description": "The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.",
"id": "GSD-2014-1234"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "paratrooper-newrelic",
"purl": "pkg:gem/paratrooper-newrelic"
}
}
],
"aliases": [
"CVE-2014-1234",
"OSVDB-101839"
],
"details": "Paratrooper-newrelic Gem for Ruby contains a flaw in\n/lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes\nthe API key, allowing a local attacker to gain access to it by monitoring the\nprocess tree.\n",
"id": "GSD-2014-1234",
"modified": "2014-01-08T00:00:00.000Z",
"published": "2014-01-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 2.1,
"type": "CVSS_V2"
}
],
"summary": "Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140107 Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2014/01/08/2"
},
{
"name": "http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html",
"refsource": "MISC",
"url": "http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2014-1234",
"cvss_v2": 2.1,
"date": "2014-01-08",
"description": "Paratrooper-newrelic Gem for Ruby contains a flaw in\n/lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes\nthe API key, allowing a local attacker to gain access to it by monitoring the\nprocess tree.\n",
"gem": "paratrooper-newrelic",
"osvdb": 101839,
"title": "Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1234"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.0.0",
"affected_versions": "All versions",
"credit": "Larry W. Cashdollar",
"cvss_v2": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2014-01-10",
"description": "The file lib/paratrooper-newrelic.rb executes curl requests with Newrelic API credentials (account_id, application_id \u0026 api_key). If a malicious user manages to monitor the process tree that run on your server, he can then steal these credentials.",
"fixed_versions": [],
"identifier": "CVE-2014-1234",
"identifiers": [
"CVE-2014-1234"
],
"package_slug": "gem/paratrooper-newrelic",
"pubdate": "2014-01-10",
"solution": "There\u0027s no currently known solution.",
"title": "Newrelic API credentials exposure in process tree",
"urls": [
"http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html"
],
"uuid": "bb3c975f-3def-4290-aa05-7b4c977a3222"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:paratrooper-newrelic_project:paratrooper-newrelic:1.0.1:-:-:*:-:ruby:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1234"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20140107 Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key",
"refsource": "MLIST",
"tags": [
"Exploit"
],
"url": "http://openwall.com/lists/oss-security/2014/01/08/2"
},
{
"name": "http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2014-01-10T17:57Z",
"publishedDate": "2014-01-10T12:02Z"
}
}
}