CVE-2013-0284: Infoleak
First published: Tue Apr 09 2013(Updated: )
Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/newrelic_rpm | >=3.2.0<=3.5.3.23 | 3.5.3.24 |
| New Relic Ruby Agent | =3.2.0 | |
| New Relic Ruby Agent | =3.3.0 | |
| New Relic Ruby Agent | =3.3.1 | |
| New Relic Ruby Agent | =3.3.2 | |
| New Relic Ruby Agent | =3.3.2.1 | |
| New Relic Ruby Agent | =3.3.3 | |
| New Relic Ruby Agent | =3.3.4 | |
| New Relic Ruby Agent | =3.3.4.1 | |
| New Relic Ruby Agent | =3.3.5 | |
| New Relic Ruby Agent | =3.4.0 | |
| New Relic Ruby Agent | =3.4.0.1 | |
| New Relic Ruby Agent | =3.4.1 | |
| New Relic Ruby Agent | =3.4.2 | |
| New Relic Ruby Agent | =3.4.2.1 | |
| New Relic Ruby Agent | =3.5.0 | |
| New Relic Ruby Agent | =3.5.0.1 | |
| New Relic Ruby Agent | =3.5.1 | |
| New Relic Ruby Agent | =3.5.1.14 | |
| New Relic Ruby Agent | =3.5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://seclists.org/oss-sec/2013/q1/304
- https://newrelic.com/docs/ruby/ruby-agent-security-notification
- https://nvd.nist.gov/vuln/detail/CVE-2013-0284
- https://web.archive.org/web/20130117025417/https://newrelic.com/docs/ruby/ruby-agent-security-notification
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/newrelic_rpm/CVE-2013-0284.yml
- https://github.com/advisories/GHSA-q6cw-2553-7837 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-0284?
CVE-2013-0284 is considered to be of high severity due to the potential exposure of sensitive data.
How do I fix CVE-2013-0284?
To fix CVE-2013-0284, upgrade the New Relic Ruby agent to version 3.5.3.24 or later.
What versions are affected by CVE-2013-0284?
CVE-2013-0284 affects New Relic Ruby agent versions 3.2.0 through 3.5.2.
What kind of sensitive data is exposed by CVE-2013-0284?
CVE-2013-0284 can expose sensitive information such as database credentials and SQL statements.
Is there a workaround for CVE-2013-0284?
There is no known workaround for CVE-2013-0284; upgrading to the fixed version is recommended.
- collector/github-advisory-latest
- alias/GHSA-q6cw-2553-7837
- alias/CVE-2013-0284
- collector/github-advisory
- agent/references
- agent/author
- agent/type
- agent/softwarecombine
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/rubygems
- vendor/newrelic
- canonical/new relic ruby agent
- version/new relic ruby agent/3.2.0
- version/new relic ruby agent/3.3.0
- version/new relic ruby agent/3.3.1
- version/new relic ruby agent/3.3.2
- version/new relic ruby agent/3.3.2.1
- version/new relic ruby agent/3.3.3
- version/new relic ruby agent/3.3.4
- version/new relic ruby agent/3.3.4.1
- version/new relic ruby agent/3.3.5
- version/new relic ruby agent/3.4.0
- version/new relic ruby agent/3.4.0.1
- version/new relic ruby agent/3.4.1
- version/new relic ruby agent/3.4.2
- version/new relic ruby agent/3.4.2.1
- version/new relic ruby agent/3.5.0
- version/new relic ruby agent/3.5.0.1
- version/new relic ruby agent/3.5.1
- version/new relic ruby agent/3.5.1.14
- version/new relic ruby agent/3.5.2