Paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

2014.01.09

Credit: Larry W. Cashdollar

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2014-1233

CWE: CWE-200

Ogólna skala CVSS: 2.1/10

Znaczenie: 2.9/10

Łatwość wykorzystania: 3.9/10

Wymagany dostęp: Lokalny

Złożoność ataku: Niska

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Brak

Wpływ na dostępność: Brak

Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials
Author: Larry W. Cashdollar, @_larry0
Date: 12/26/2013
CVE: Please assign.
Download: http://rubygems.org/gems/paratrooper-pingdom
Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper"
Vulnerable Code:
From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb
24 def setup(options = {})
25 %x[curl
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru e" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
26 end
27
28 def teardown(options = {})
29 %x[curl
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal se" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
30 end
A malicious user could monitor the process tree to steal the API key, username and password for the API login.
http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html

Referencje:

http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.