CVE-2016-10530: Exposure of Sensitive Information to an Unauthorized Actor

February 18, 2019 (updated January 8, 2021)

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

References

github.com/advisories/GHSA-856x-cp3q-47vg
github.com/airbrake/node-airbrake/issues/70
nodesecurity.io/advisories/96
nvd.nist.gov/vuln/detail/CVE-2016-10530
www.npmjs.com/advisories/96

Detect and mitigate CVE-2016-10530 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →