Plateforme
ruby
Composant
paratrooper-newrelic
Corrigé dans
1.0.2
CVE-2014-1234 describes an information disclosure vulnerability affecting the paratrooper-newrelic gem for Ruby. This vulnerability allows a local attacker to retrieve the X-Api-Key by examining the process list of curl commands executed by the gem. Versions of paratrooper-newrelic prior to 1.0.1 are affected. A fix is available via upgrading to a patched version.
The primary impact of CVE-2014-1234 is the exposure of the X-Api-Key. This key grants access to New Relic's API, potentially allowing an attacker to access sensitive application performance monitoring data, modify configurations, or even trigger actions within the monitored application. While the vulnerability requires local access, it represents a significant risk if an attacker can compromise a system running the vulnerable gem. The exposure of the API key could lead to unauthorized monitoring, data exfiltration, or even modification of the application's behavior, depending on the permissions associated with the key.
CVE-2014-1234 was published in 2017. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV or EPSS. Due to its local access requirement and relatively low CVSS score, the probability of exploitation is considered low. Refer to the official New Relic advisory for further details.
Statut de l'Exploit
EPSS
0.21% (percentile 43%)
The recommended mitigation for CVE-2014-1234 is to upgrade the paratrooper-newrelic gem to a version greater than 1.0.1. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the system running the gem to prevent local attackers from listing processes. While a direct workaround to prevent key exposure isn't available, limiting process visibility can reduce the attack surface. After upgrading, confirm the fix by verifying that the X-Api-Key is no longer exposed when listing processes using tools like ps or top.
Aucun correctif officiel disponible. Recherchez des alternatives ou surveillez les mises à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2014-1234 is a vulnerability in the paratrooper-newrelic gem that allows a local attacker to retrieve the X-Api-Key by listing curl processes. It's rated LOW severity and affects versions ≤1.0.1.
You are affected if you are using paratrooper-newrelic version 1.0.1 or earlier. Check your gem versions using gem list paratrooper-newrelic.
Upgrade the paratrooper-newrelic gem to a version greater than 1.0.1 using gem update paratrooper-newrelic. If upgrading is not possible, restrict local access to the system.
There is no public evidence of CVE-2014-1234 being actively exploited in the wild at this time.
Refer to the New Relic security advisories for details: [https://docs.newrelic.com/security/advisories](https://docs.newrelic.com/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier Gemfile.lock et nous te dirons instantanément si tu es affecté.