CVE-2016-10530
MEDIUMairbrake < 0.3.8 - Unauthenticated Sensitive Information Exposure via HTTP Environment Variable Transmission
Title source: llmDescription
The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.
References (2)
Core 2
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/airbrake/node-airbrake/issues/70
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/96
Scores
CVSS v3
5.9
EPSS
0.0130
EPSS Percentile
67.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
CWE-310
Status
published
Products (2)
airbrake/airbrake
< 0.3.8
npm/airbrake
0 - 0.4.0npm
Published
May 31, 2018
Tracked Since
Feb 18, 2026