Summary: | <dev-ruby/rails-2.3.4: authenticate_or_request_with_http_digest bypass (CVE-2009-2422) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-07-02 19:21:14 UTC
CVE-2009-2422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2422): The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. This is fixed in >= rails 2.3.3. Stabling together with bug 283396. GLSA together with bug 237385. GLSA 200912-02 |