A vulnerability, which was classified as critical, has been found in airbrake Module up to 0.3.8 on Node.js (JavaScript Library). This issue affects an unknown part. The manipulation as part of a Environment Variable leads to a cryptographic issues vulnerability. Using CWE to declare the problem leads to CWE-310. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

The bug was discovered 03/28/2016. The weakness was published 05/31/2018 (Website). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2016-10530 since 10/29/2017. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1600 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 794 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• JavaScript Library

Name

• airbrake Module

Version

• 0.3.0
• 0.3.1
• 0.3.2
• 0.3.3
• 0.3.4
• 0.3.5
• 0.3.6
• 0.3.7
• 0.3.8

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion