CVE-2013-0284 : Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with

Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data.

Published 2013-04-09 20:55:02

Updated 2013-04-10 04:00:00

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2013-0284

Newrelic » Ruby Agent » Version: 3.3.5
cpe:2.3:a:newrelic:ruby_agent:3.3.5:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.4.0
cpe:2.3:a:newrelic:ruby_agent:3.4.0:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.4.0.1
cpe:2.3:a:newrelic:ruby_agent:3.4.0.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.4.1
cpe:2.3:a:newrelic:ruby_agent:3.4.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.2.0
cpe:2.3:a:newrelic:ruby_agent:3.2.0:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.0
cpe:2.3:a:newrelic:ruby_agent:3.3.0:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.1
cpe:2.3:a:newrelic:ruby_agent:3.3.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.2
cpe:2.3:a:newrelic:ruby_agent:3.3.2:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.5.1.14
cpe:2.3:a:newrelic:ruby_agent:3.5.1.14:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.5.1
cpe:2.3:a:newrelic:ruby_agent:3.5.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.5.2
cpe:2.3:a:newrelic:ruby_agent:3.5.2:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.2.1
cpe:2.3:a:newrelic:ruby_agent:3.3.2.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.4
cpe:2.3:a:newrelic:ruby_agent:3.3.4:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.4.2.1
cpe:2.3:a:newrelic:ruby_agent:3.4.2.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.5.0.1
cpe:2.3:a:newrelic:ruby_agent:3.5.0.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.3
cpe:2.3:a:newrelic:ruby_agent:3.3.3:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.3.4.1
cpe:2.3:a:newrelic:ruby_agent:3.3.4.1:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.4.2
cpe:2.3:a:newrelic:ruby_agent:3.4.2:*:*:*:*:*:*:*
Matching versions
Newrelic » Ruby Agent » Version: 3.5.0
cpe:2.3:a:newrelic:ruby_agent:3.5.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-0284

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 46 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-0284

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2013-0284

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0284

http://seclists.org/oss-sec/2013/q1/304

oss-sec: Some rubygems related CVEs

CVEs referencing this url
https://newrelic.com/docs/ruby/ruby-agent-security-notification

APM agent security: Ruby | New Relic Documentation
Vendor Advisory

Jump to

Vulnerability Details : CVE-2013-0284

Products affected by CVE-2013-0284

Exploit prediction scoring system (EPSS) score for CVE-2013-0284

CVSS scores for CVE-2013-0284

CWE ids for CVE-2013-0284

References for CVE-2013-0284