CVE-2016-10530 — Insecure Default Configuration in airbrake

Description

Affected versions of `airbrake` default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive information. ## Recommendation Update to version 0.4.0 or later, or upgrade from the now-deprecated `airbrake` module to its replacement, [`airbrake-js`](https://www.npmjs.com/package/airbrake-js).

How to fix CVE-2016-10530

To remediate CVE-2016-10530, upgrade the affected package to a fixed version below.

—upgrade to 0.4.0 or later

Is CVE-2016-10530 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.4.0

References (4)

ADVISORYgithub.com/advisories/GHSA-856x-cp3q-47vg
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10530
WEBgithub.com/airbrake/node-airbrake/issues/70
WEBwww.npmjs.com/advisories/96