CVE-2014-5002 — Sensitive Information Exposure in Project Lynx

CWE-255 CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 76.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lynx Project Lynx

Timeline

PublishedJan 10

Latest updateJan 24

Description

The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDlynx_project/lynx< 1.0.0

▶RubyGemslynx_project/lynx< 1.0.0

🔴Vulnerability Details

OSV

lynx doesn't properly sanitize user input and exposes database password to unauthorized users↗2018-01-24

▶

GHSA

lynx doesn't properly sanitize user input and exposes database password to unauthorized users↗2018-01-24

▶