Lucene search

K

GoogleOSV:GHSA-RXQ3-GM4P-5FJ4

HistoryOct 24, 2017 - 6:33 p.m.

rails vulnerable to improper authentication

2017-10-2418:33:38

Google

osv.dev

6

9.5 High

AI Score

Confidence

High

0.027 Low

EPSS

Percentile

90.4%

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

CPENameOperatorVersion
railseq1.1.1
railseq1.2.0
railseq0.9.0
railseq0.8.5
railseq1.2.4
railseq1.2.6
railseq1.2.3
railseq0.10.0
railseq2.0.2
railseq2.0.5

Rows per page:

1-10 of 471

References

lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s

support.apple.com/kb/HT4077

weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest

exchange.xforce.ibmcloud.com/vulnerabilities/51528

github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml

nvd.nist.gov/vuln/detail/CVE-2009-2422

web.archive.org/web/20090711160153/secunia.com/advisories/35702

web.archive.org/web/20200229192617/www.securityfocus.com/bid/35579

9.5 High

AI Score

Confidence

High

0.027 Low

EPSS

Percentile

90.4%

Related for OSV:GHSA-RXQ3-GM4P-5FJ4

prion1 cve1 nessus4 openvas5 ubuntucve1 redhatcve1 github1 cvelist1 nvd1 debiancve1 gentoo1 threatpost1