Blacklist keys are no longer being filtered in airbrake-ruby
Published: April 10, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-16060 (NVD)
- GHSA: GHSA-2p82-v77v-mppr
- Vendor Advisory: https://github.com/airbrake/airbrake-ruby/issues/468
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
UNAFFECTED VERSIONS
< 4.2.3
> 4.2.3
PATCHED VERSIONS
>= 4.2.4
DESCRIPTION
A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered prior to sending to Airbrake. Such data could be user passwords. Therefore, an app could leak user passwords without knowing it.