Information Exposure Affecting mechanize package, versions <2.4
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-MECHANIZE-20363
- published 8 May 2017
- disclosed 19 Apr 2012
- credit Eric Hodel
How to fix?
Upgrade mechanize to version 2.4 or higher.
Overview
mechanize is used for automating interaction with websites.
Affected versions of the package exposed the http authentication credentials. Only one set of HTTP authentication credentials were allowed for a connections. If a mechanize instance connected to more than one server then a malicious server detecting mechanize could ask for HTTP Basic authentication. This would expose the username and password intended only for one server.