2.1

CVSS Score

Basic Information

CVE ID

CVE-2014-1233

GHSA ID

GHSA-fqrr-rrwg-69pv

EPSS Score

0.21461%

CWE

CWE-200

Published

10/24/2017

Updated

7/5/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-1233

CVE-2014-1233: Local API Login Credentials Disclosure in paratrooper-pingdom

The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.

Vulnerable Code:

From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb

def setup(options = {})
  %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=true" -H "App-Key: #{app_key}" -u "#{username}:#{password}"]        
end

def teardown(options = {})
  %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=false" -H "App-Key: #{app_key}" -u "#{username}:#{password}"]        
end

A malicious user could monitor the process tree to steal the API key, username and password for the API login.

(GitHub Advisory)

2.1

CVSS Score

Basic Information

CVE ID

CVE-2014-1233

GHSA ID

GHSA-fqrr-rrwg-69pv

EPSS Score

0.21461%

CWE

CWE-200

Published

10/24/2017

Updated

7/5/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

AV:L/AC:L/Au:N/C:P/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
paratrooper-pingdom	rubygems	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Both functions use Ruby's %x operator to execute curl commands with interpolated credentials (-u flag and App-Key header). This makes credentials visible in process listings as command-line arguments. The vulnerability documentation specifically identifies these functions as problematic, and the code pattern matches the described exposure mechanism through process monitoring.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p*r*troop*r-pin**om **m *.*.* *or Ru*y *llows lo**l us*rs to o*t*in t** *pp-K*y, us*rn*m*, *n* p*sswor* v*lu*s *y listin* t** *url pro**ss. ### Vuln*r**l* *o**: *rom: `p*r*troop*r-pin**om-*.*.*/li*/p*r*troop*r-pin**om.r*` ```ru*y *** s*tup(opt

Reasoning

*ot* *un*tions us* Ru*y's %x op*r*tor to *x**ut* *url *omm*n*s wit* int*rpol*t** *r***nti*ls (-u *l** *n* *pp-K*y *****r). T*is m*k*s *r***nti*ls visi*l* in `pro**ss` listin*s *s *omm*n*-lin* *r*um*nts. T** vuln*r**ility *o*um*nt*tion sp**i*i**lly i*

2.1

Basic Information

Concerned about an active attack path?

CVE-2014-1233: Local API Login Credentials Disclosure in paratrooper-pingdom

Vulnerable Code:

2.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI