| Summary: | <dev-ruby/rack-attack-4.3.1: Missing normalization when used with ruby on rails | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | ruby |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2016/01/07/1 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Affected versions have been removed. no vulnerable versions in tree. |
From ${URL} : Rack::Attack <4.3.1 does not normalize paths before processing them, meaning that if there is a throttle or block rule for /login, a malicious user could use /login/ to bypass the check. This only affects Rails applications. More details: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 Fixed by: https://github.com/kickstarter/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 Related tweets: https://twitter.com/rorsecurity/status/678878091314335744 https://twitter.com/IncludeSecurity/status/677905982391984129 This could almost be categorized as CWE-289 "Authentication Bypass by Alternate Name", but it's not really authentication here. I couldn't find a better CWE without getting too generic. @maintainer(s): since the fixed version is already in the tree, please remove the affected versions.