CVE-2009-2422
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Affected (5)
Products: Rubyonrails: Ruby On Rails · Apple: Mac Os X, Mac Os X Server
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 2.3.3 |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| From 10.6.0 to 10.6.3 | |
| From 10.6.0 to 10.6.3 |
References (16)
Source: cve@mitre.org
Mailing List
Source: cve@mitre.org
ExploitPatch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Broken LinkPatchThird Party AdvisoryVDB Entry
Source: cve@mitre.org
Broken LinkPatchVendor Advisory
Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkPatchThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkPatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Timeline
No history available yet.