CVE-2016-10530

MEDIUM

airbrake < 0.3.8 - Unauthenticated Sensitive Information Exposure via HTTP Environment Variable Transmission

Title source: llm
STIX 2.1

Description

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.

References (2)

Core 2
Core References
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/airbrake/node-airbrake/issues/70
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/96

Scores

CVSS v3 5.9
EPSS 0.0130
EPSS Percentile 67.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-310
Status published
Products (2)
airbrake/airbrake < 0.3.8
npm/airbrake 0 - 0.4.0npm
Published May 31, 2018
Tracked Since Feb 18, 2026