The lynx gem prior to 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.
As of version 1.0.0, lynx no longer supports a --password option. Passwords are only configured in a configuration file, so it’s no longer possible to expose passwords on the command line.
References
- https://nvd.nist.gov/vuln/detail/CVE-2014-5002
- https://github.com/panthomakos/lynx/issues/3
- http://www.openwall.com/lists/oss-security/2014/07/07/23
- http://www.openwall.com/lists/oss-security/2014/07/17/5
- http://www.vapid.dhs.org/advisories/lynx-0.2.0.html
- https://github.com/advisories/GHSA-94cq-7ccq-cmcm