Insecure Default Configuration

Module: airbrake

Published: March 28th, 2016

Reported by: Phil Schleihauf

CVE-NONE

CWE-

Vulnerable: <=0.3.8
Patched: >=0.4.0

Overview

The airbrake module defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

Remediation

Change to use https or update to at least version 0.4.0

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo