It was found that the REST client for Ruby logged password information in plain text in the log files. A local attacker could use this flaw to gain access to password information. Upstream issue: https://github.com/rest-client/rest-client/issues/349 Upstream patch: https://github.com/xaviershay/rest-client/commit/60ae4a5373e574bdeacd7b526c72f4e7d0ca858f
Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 1240983]
Mitigation: The permissions on log files can be changed, e.g. using "chmod o-rwx" to prevent anyone but the user and group owner of the file from reading it. Additionally the group permissions can also be removed, e.g. "chmod g-rwx" if only the user owning the file should be able to see it.
This issue affects the versions of rubygem-rest-client as shipped with various Red Hat products ad versions. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.