RubySec

Providing security resources for the Ruby community

CVE-2019-16060 (airbrake-ruby): Blacklist keys are no longer being filtered in airbrake-ruby

ADVISORIES

GEM

airbrake-ruby

UNAFFECTED VERSIONS

  • < 4.2.3
  • > 4.2.3

PATCHED VERSIONS

  • >= 4.2.4

DESCRIPTION

A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered prior to sending to Airbrake. Such data could be user passwords. Therefore, an app could leak user passwords without knowing it.