CVE-2016-10530

The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept all the secret keys the user is sending. This goes against common best practice, which is to use HTTPS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
airbrakeairbrake
𝑥
≤ 0.3.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/airbrake/node-airbrake/issues/70
https://nodesecurity.io/advisories/96
https://github.com/airbrake/node-airbrake/issues/70
https://nodesecurity.io/advisories/96