CVE-2014-4999 – kajam

Package

Manager: gem
Name: kajam
Vulnerable Version: >=0 <=1.0.3.rc2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16596

Details

kajam allows local users to obtain sensitive information by listing the process `vendor/plugins/dataset/lib/dataset/database/mysql.rb` in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.

Metadata

Created: 2022-05-14T03:47:44Z
Modified: 2023-01-26T23:55:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4ph7-5c44-pppv/GHSA-4ph7-5c44-pppv.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-4ph7-5c44-pppv
Finding: F310
Auto approve: 1