1.0.2
CVE-2014-1234 describes an information disclosure vulnerability affecting the paratrooper-newrelic gem for Ruby. This vulnerability allows a local attacker to retrieve the X-Api-Key by examining the process list of curl commands executed by the gem. Versions of paratrooper-newrelic prior to 1.0.1 are affected. A fix is available via upgrading to a patched version.
The primary impact of CVE-2014-1234 is the exposure of the X-Api-Key. This key grants access to New Relic's API, potentially allowing an attacker to access sensitive application performance monitoring data, modify configurations, or even trigger actions within the monitored application. While the vulnerability requires local access, it represents a significant risk if an attacker can compromise a system running the vulnerable gem. The exposure of the API key could lead to unauthorized monitoring, data exfiltration, or even modification of the application's behavior, depending on the permissions associated with the key.
CVE-2014-1234 was published in 2017. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV or EPSS. Due to its local access requirement and relatively low CVSS score, the probability of exploitation is considered low. Refer to the official New Relic advisory for further details.
漏洞利用状态
EPSS
0.21% (43% 百分位)
The recommended mitigation for CVE-2014-1234 is to upgrade the paratrooper-newrelic gem to a version greater than 1.0.1. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the system running the gem to prevent local attackers from listing processes. While a direct workaround to prevent key exposure isn't available, limiting process visibility can reduce the attack surface. After upgrading, confirm the fix by verifying that the X-Api-Key is no longer exposed when listing processes using tools like ps or top.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2014-1234 is a vulnerability in the paratrooper-newrelic gem that allows a local attacker to retrieve the X-Api-Key by listing curl processes. It's rated LOW severity and affects versions ≤1.0.1.
You are affected if you are using paratrooper-newrelic version 1.0.1 or earlier. Check your gem versions using gem list paratrooper-newrelic.
Upgrade the paratrooper-newrelic gem to a version greater than 1.0.1 using gem update paratrooper-newrelic. If upgrading is not possible, restrict local access to the system.
There is no public evidence of CVE-2014-1234 being actively exploited in the wild at this time.
Refer to the New Relic security advisories for details: [https://docs.newrelic.com/security/advisories](https://docs.newrelic.com/security/advisories)
上传你的 Gemfile.lock 文件,立即知道是否受影响。