CVE-2015-2179: xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
5.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.15428%
CWE
Published
1/26/2023
Updated
12/14/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| xaviershay-dm-rails | rubygems | <= 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory explicitly identifies the execute() function in storage.rb as the source of the vulnerability. The provided code snippet shows MySQL credentials being passed as plaintext command-line arguments via system(), which are visible in process listings. This matches the described exposure mechanism (CWE-200) where local attackers can view credentials via process inspection tools.