1240982 – (CVE-2015-3448) CVE-2015-3448 rubygem-rest-client: unsanitized application logging

Bug 1240982 (CVE-2015-3448) - CVE-2015-3448 rubygem-rest-client: unsanitized application logging

Summary: CVE-2015-3448 rubygem-rest-client: unsanitized application logging

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-3448
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1240983 1240984 1865809 1865816
Blocks:	1240985
TreeView+	depends on / blocked

Reported:	2015-07-08 09:46 UTC by Martin Prpič
Modified:	2021-12-14 18:47 UTC (History)
CC List:	69 users (show)
Fixed In Version:	rest-client 1.7.3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-14 02:27:35 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-07-08 09:46:48 UTC

It was found that the REST client for Ruby logged password information in plain text in the log files. A local attacker could use this flaw to gain access to password information.

Upstream issue:

https://github.com/rest-client/rest-client/issues/349

Upstream patch:

https://github.com/xaviershay/rest-client/commit/60ae4a5373e574bdeacd7b526c72f4e7d0ca858f

Comment 2 Martin Prpič 2015-07-08 09:50:10 UTC

Created rubygem-rest-client tracking bugs for this issue:

Affects: fedora-all [bug 1240983]

Comment 3 Kurt Seifried 2015-07-14 02:25:18 UTC

Mitigation:

The permissions on log files can be changed, e.g. using "chmod o-rwx" to prevent anyone but the user and group owner of the file from reading it. Additionally the group permissions can also be removed, e.g. "chmod g-rwx" if only the user owning the file should be able to see it.

Comment 4 Kurt Seifried 2015-07-14 02:27:35 UTC

This issue affects the versions of rubygem-rest-client as shipped with various Red Hat products ad versions. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.

abaron
aortega
apatters
apevec
ayoung
bbuckingham
bcourt
bhu
bkearney
bleanhar
btotty
cbillett
ccoleman
chrisw
cpelland
cperry
dajohnso
dallan
dclarizi
dmcphers
esammons
gblomqui
gkotton
gmccullo
gtanzill
hhudgeon
iboverma
jdetiber
jfrey
jhardy
jialiu
jkeck
joelsmith
jokerman
jprause
jrafanie
jross
katello-bugs
kseifried
lhh
lmeyer
lpeer
lzap
markmc
matt
mburns
mcressma
mfojtik
mmccomas
mmccune
mrg-program-list
nmoumoul
obarenbo
ohadlevy
rbryant
rchan
rhos-maint
rjerrido
roliveri
sclewis
sokeeffe
tbielawa
tdawson
tdecacqu
tjay
tomckay
williams
xlecauch
yeylon