It was reported [1] that when logging is enabled, ... puts passwords to the log file in plaintext. Suggested fix: https://github.com/rest-client/rest-client/issues/352 [1]: https://github.com/rest-client/rest-client/issues/349
Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 1192505] Affects: epel-all [bug 1192506]
Technical analysis: This vulnerability affects all known versios of rest-client. The accepted fix is to redact password part of the URL: sanitized_url = begin uri = URI.parse(url) uri.password = "REDACTED" if uri.password uri.to_s The fix is done by commit 60ae4a5373e574bdeacd7b526c72f4e7d0ca858f and is included in 1.7.3 release. References: https://github.com/xaviershay/rest-client/commit/60ae4a5373e574bdeacd7b526c72f4e7d0ca858f