CVE-2014-5002 – lynx

Package

Manager: gem
Name: lynx
Vulnerable Version: >=0 <1.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00078 pctl0.24015

Details

lynx doesn't properly sanitize user input and exposes database password to unauthorized users The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes. As of version 1.0.0, lynx no longer supports a `--password` option. Passwords are only configured in a configuration file, so it's no longer possible to expose passwords on the command line.

Metadata

Created: 2018-01-24T17:10:45Z
Modified: 2023-01-23T20:52:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-94cq-7ccq-cmcm/GHSA-94cq-7ccq-cmcm.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-94cq-7ccq-cmcm
Finding: F308
Auto approve: 1