CVE-2014-4991
Description
(1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The codders-dataset gem 1.3.2.1 for Ruby exposes database credentials on the mysqldump command line, allowing local users to obtain sensitive information via process listing.
Vulnerability
The codders-dataset gem version 1.3.2.1 for Ruby places database credentials on the mysqldump command line in lib/dataset/database/mysql.rb and lib/dataset/database/postgresql.rb [1][2]. Specifically, the @password variable is passed as a command-line argument (e.g., --password=#{@password}) without proper sanitization, making the plaintext password visible in the system's process table [4]. Both MySQL and PostgreSQL database backends are affected [1][4].
Exploitation
An attacker with local access to the system can list running processes (e.g., using ps or /proc) to view the command-line arguments of the mysqldump process, thereby capturing the database credentials [1][2]. No authentication or special privileges beyond local user access are required; the attacker simply needs to observe processes at the moment the gem executes the database dump [4].
Impact
Successful exploitation results in disclosure of the database username and password, leading to loss of confidentiality of database credentials [1][2]. An attacker who obtains these credentials can then access the database with the same privileges as the compromised user, potentially reading, modifying, or deleting data [4].
Mitigation
As of the available references, no official patch or updated version of the codders-dataset gem has been released to address this vulnerability [1][2]. The gem's GitHub repository does not indicate a fix [3]. Users should avoid using this gem for database operations that require passing credentials on the command line, or switch to alternative tools that use secure methods (e.g., configuration files with restricted permissions) for credential handling.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codders-datasetRubyGems | <= 1.3.2.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-w9vv-fvw8-j6q3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-4991ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/07/07/8ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2014/07/17/5ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/68733mitrevdb-entryx_refsource_BID
- www.vapid.dhs.org/advisories/codders-dataset-1.3.2.1.htmlghsax_refsource_MISCWEB
- github.com/codders/dataset/blob/master/lib/dataset/database/mysql.rbghsaWEB
- github.com/codders/dataset/blob/master/lib/dataset/database/postgresql.rbghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/codders-dataset/CVE-2014-4991.ymlghsaWEB
- web.archive.org/web/20200229055915/https://www.securityfocus.com/bid/68733ghsaWEB
News mentions
0No linked articles in our index yet.