Insecure Default Configuration

Module: airbrake

Published: March 28th, 2016

Reported by: Phil Schleihauf

CVE-NONE

CWE-200

Vulnerable: <=0.3.8
Patched: >=0.4.0

Overview

Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive information.

Remediation

Update to version 0.4.0 or later, or upgrade from the now-deprecated airbrake module to its replacement, airbrake-js.

References

Issue #70