Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key Author: Larry W. Cashdollar, @_larry0 CVE: Please assign one. Download: http://rubygems.org/gems/paratrooper-newrelic Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper." Vulnerable Code: From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb: lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key. 24 def setup(options = {}) 25 %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: #{api_key} "] 26 end 27 28 def teardown(options = {}) 29 %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}" ] 30 end Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html # Iranian Exploit DataBase = http://IeDb.Ir [2014-01-11]