Related vulnerabilities
gsd-2013-0284
Vulnerability from gsd
Modified
2012-12-06 00:00
Details
A bug in the Ruby agent causes database connection information and raw SQL
statements to be transmitted to New Relic servers. The database connection
information includes the database IP address, username, and password
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0284",
"description": "Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data.",
"id": "GSD-2013-0284"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "newrelic_rpm",
"purl": "pkg:gem/newrelic_rpm"
}
}
],
"aliases": [
"CVE-2013-0284",
"OSVDB-90189"
],
"details": "A bug in the Ruby agent causes database connection information and raw SQL\nstatements to be transmitted to New Relic servers. The database connection\ninformation includes the database IP address, username, and password\n",
"id": "GSD-2013-0284",
"modified": "2012-12-06T00:00:00.000Z",
"published": "2012-12-06T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0284"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2013/q1/304"
},
{
"name": "https://newrelic.com/docs/ruby/ruby-agent-security-notification",
"refsource": "CONFIRM",
"url": "https://newrelic.com/docs/ruby/ruby-agent-security-notification"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-0284",
"cvss_v2": 5.0,
"date": "2012-12-06",
"description": "A bug in the Ruby agent causes database connection information and raw SQL\nstatements to be transmitted to New Relic servers. The database connection\ninformation includes the database IP address, username, and password\n",
"gem": "newrelic_rpm",
"osvdb": 90189,
"patched_versions": [
"\u003e= 3.5.3.25"
],
"title": "Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0284"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.2.0 \u003c3.5.2",
"affected_versions": "All versions starting from 3.2.0 before 3.5.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2013-04-10",
"description": "A bug in the Ruby agent causes database connection information and raw SQL statements to be transmitted to New Relic servers. The database connection information includes the database IP address, username, and password. The information is not stored or retransmitted by New Relic and is immediately discarded.",
"fixed_versions": [
"3.5.3.25"
],
"identifier": "CVE-2013-0284",
"identifiers": [
"CVE-2013-0284"
],
"not_impacted": "Apps not using a relational database",
"package_slug": "gem/newrelic_rpm",
"pubdate": "2013-04-09",
"solution": "Upgrade and workarounds (see source)",
"title": "Ruby Agent Sensitive Information Disclosure",
"urls": [
"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0284",
"https://newrelic.com/docs/ruby/ruby-agent-security-notification"
],
"uuid": "8f601937-3487-412b-9bdc-fb8dc97d45a8"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.4.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.5.1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.4.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.3.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:newrelic:ruby_agent:3.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0284"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://newrelic.com/docs/ruby/ruby-agent-security-notification",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://newrelic.com/docs/ruby/ruby-agent-security-notification"
},
{
"name": "[oss-security] 20130213 Some rubygems related CVEs",
"refsource": "MLIST",
"tags": [],
"url": "http://seclists.org/oss-sec/2013/q1/304"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-10T04:00Z",
"publishedDate": "2013-04-09T20:55Z"
}
}
}