CVE-2014-4999
Description
vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The kajam gem 1.0.3.rc2 for Ruby exposes the MySQL password in process listings via command-line arguments.
Vulnerability
The kajam gem version 1.0.3.rc2 for Ruby contains a vulnerability in the file vendor/plugins/dataset/lib/dataset/database/mysql.rb. In the capture function (line 18) and the restore function (line 24), the MySQL user password is passed as a command-line argument using --password=#{@password} to mysqldump and mysql commands. This allows any local user with the ability to list running processes to read the password from the process table [1] [3] [4].
Exploitation
An attacker must have local access to the system and the ability to list process command-line arguments (e.g., via ps or similar tools). No authentication or user interaction beyond local access is required. The password is visible in the process table while the capture or restore methods are executing, which can be triggered by any user of the gem or a Rails application using it [1] [3] [4].
Impact
Successful exploitation results in disclosure of the MySQL user password. This can lead to unauthorized database access, data breach, or further compromise of the database server. The attacker gains sensitive credential information without requiring elevated privileges [1] [3] [4].
Mitigation
No fixed version of the kajam gem has been released as of the available references. It is unclear if the gem is still maintained. Users should avoid using this gem, or modify the source code to pass the password via a file or environment variable instead of the command line. The CVE is not listed in KEV [1] [2] [3] [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kajamRubyGems | <= 1.0.3.rc2 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4ph7-5c44-pppvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-4999ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/07/07/19ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2014/07/17/5ghsamailing-listx_refsource_MLISTWEB
- www.vapid.dhs.org/advisories/kajam-1.0.3.rc2.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.