Homepage
About Snyk

Information Exposure Affecting mechanize package, versions <2.4

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-MECHANIZE-20363
  • published 8 May 2017
  • disclosed 19 Apr 2012
  • credit Eric Hodel
Report a new vulnerability Found a mistake?

Introduced: 19 Apr 2012

CVE NOT AVAILABLE CWE-200 Open this link in a new tab

How to fix?

Upgrade mechanize to version 2.4 or higher.

Overview

mechanize is used for automating interaction with websites.

Affected versions of the package exposed the http authentication credentials. Only one set of HTTP authentication credentials were allowed for a connections. If a mechanize instance connected to more than one server then a malicious server detecting mechanize could ask for HTTP Basic authentication. This would expose the username and password intended only for one server.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    None
  • Availability (A)
    None