Needlessly Promiscuous, Modularize!

npm

Severity: moderate

Insecure Default Configuration

airbrake

Overview

Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive information.

Remediation

Update to version 0.4.0 or later, or upgrade from the now-deprecated airbrake module to its replacement, airbrake-js.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Mar 28th, 2016
  2. reported

    Initial report by Phil Schleihauf
    Mar 28th, 2016