Improper Authentication Affecting rails package, versions <2.3.5-1


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
3.99% (92nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN10-RAILS-384842
  • published10 Jul 2009
  • disclosed10 Jul 2009

Introduced: 10 Jul 2009

CVE-2009-2422  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Debian:10 rails to version 2.3.5-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rails package and not the rails package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

CVSS Scores

version 3.1