Vulnerable version(s)2.0.0 up to 2.7.5
Version with fix3.0.0


Sander Bos discovered that the data upload routine in Lynis up to version 2.7.5 may leak information, which allows attackers to retrieve the license key by looking at the process listing.

When defined, the license key can be leaked during the period that a data upload occurs. A local user could monitor the process list to find the license key. The key is part of the parameters provided to cURL. This happens when the --upload is used to upload data to a central system. The specific call happens in the include/data_upload script.

Although the license key alone does not grant access to system information on a central server, it may be used to upload falsified data, waste system resources, or use up all upload credits.

Affected versions are 2.0.0 up to 2.7.5.


To mitigate this issue, the data now comes from a file instead of a directly visible POST parameter.

Discoverer and credits

Sander Bos
Entry last updated June 18, 2020