| Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2014-01-08 |
| CVE-ID:[CVE-2014-1234] |
| CWE: CWE-200 Information Leak / Disclosure |
| Download Site: http://rubygems.org/gems/paratrooper-newrelic |
| Vendor: Brandon Farmer, Matt Polito |
| Vendor Notified: 2014-01-08 |
| Vendor Contact: matt.polito@gmail.com |
| Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html |
| Description: Send deploy notifications to Newrelic service when deploying with Paratrooper. |
| Vulnerability: From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:
lines 25 and 29 expose the API key to the command line where a malicious user can monitor the process tree and steal the login credentials.
24 def setup(options = {})
25 %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: {api_key} "]
26 end
27
28 def teardown(options = {})
29 %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}" ]
30 end |
| Export: JSON TEXT XML |
| Exploit Code: |
| Screen Shots: |
Notes: 101839 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory