lawn-login exposes database password to unauthorized users
High severity
GitHub Reviewed
Published
Jan 22, 2018
to the GitHub Advisory Database
•
Updated Sep 5, 2023
Description
Published to the GitHub Advisory Database
Jan 22, 2018
Reviewed
Jun 16, 2020
Last updated
Sep 5, 2023
The login function in
lib/lawn.rb
in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.References