CVE-2015-7576

Published: Feb 16, 2016Modified: May 6, 2026

3.7

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.2 / Impact: 1.4

Source: NVD

Description

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Affected (86)

Products: Rubyonrails: Rails, Ruby On Rails

Rubyonrails

2 products

Rails

Ruby On Rails

Configuration A

86 vulnerable

Vulnerable Software	Affected Versions
Rubyonrails Rails	Version 4.0.0
Rubyonrails Rails	Version 4.0.0 beta
Rubyonrails Rails	Version 4.0.0 rc1
Rubyonrails Rails	Version 4.0.0 rc2
Rubyonrails Rails	Version 4.0.10
Rubyonrails Rails	Version 4.0.10 rc1
Rubyonrails Rails	Version 4.0.1
Rubyonrails Rails	Version 4.0.1 rc1
Rubyonrails Rails	Version 4.0.1 rc2
Rubyonrails Rails	Version 4.0.1 rc3
Rubyonrails Rails	Version 4.0.1 rc4
Rubyonrails Rails	Version 4.0.2
Rubyonrails Rails	Version 4.0.3
Rubyonrails Rails	Version 4.0.4
Rubyonrails Rails	Version 4.0.4 rc1
Rubyonrails Rails	Version 4.0.5
Rubyonrails Rails	Version 4.0.6
Rubyonrails Rails	Version 4.0.6 rc1
Rubyonrails Rails	Version 4.0.6 rc2
Rubyonrails Rails	Version 4.0.6 rc3
Rubyonrails Rails	Version 4.0.7
Rubyonrails Rails	Version 4.0.8
Rubyonrails Rails	Version 4.0.9
Rubyonrails Rails	Version 4.1.0
Rubyonrails Rails	Version 4.1.0 beta1
Rubyonrails Rails	Version 4.1.0 beta2
Rubyonrails Rails	Version 4.1.0 rc1
Rubyonrails Rails	Version 4.1.0 rc2
Rubyonrails Rails	Version 4.1.10
Rubyonrails Rails	Version 4.1.10 rc1
Rubyonrails Rails	Version 4.1.10 rc2
Rubyonrails Rails	Version 4.1.10 rc3
Rubyonrails Rails	Version 4.1.10 rc4
Rubyonrails Rails	Version 4.1.12
Rubyonrails Rails	Version 4.1.12 rc1
Rubyonrails Rails	Version 4.1.13
Rubyonrails Rails	Version 4.1.13 rc1
Rubyonrails Rails	Version 4.1.14
Rubyonrails Rails	Version 4.1.14 rc1
Rubyonrails Rails	Version 4.1.14 rc2
Rubyonrails Rails	Version 4.1.1
Rubyonrails Rails	Version 4.1.2
Rubyonrails Rails	Version 4.1.2 rc1
Rubyonrails Rails	Version 4.1.2 rc2
Rubyonrails Rails	Version 4.1.2 rc3
Rubyonrails Rails	Version 4.1.3
Rubyonrails Rails	Version 4.1.4
Rubyonrails Rails	Version 4.1.5
Rubyonrails Rails	Version 4.1.6
Rubyonrails Rails	Version 4.1.6 rc1
Rubyonrails Rails	Version 4.1.6 rc2
Rubyonrails Rails	Version 4.1.7.1
Rubyonrails Rails	Version 4.1.7
Rubyonrails Rails	Version 4.1.8
Rubyonrails Rails	Version 4.1.9
Rubyonrails Rails	Version 4.1.9 rc1
Rubyonrails Rails	Version 4.2.0
Rubyonrails Rails	Version 4.2.0 beta1
Rubyonrails Rails	Version 4.2.0 beta2
Rubyonrails Rails	Version 4.2.0 beta3
Rubyonrails Rails	Version 4.2.0 beta4
Rubyonrails Rails	Version 4.2.0 rc1
Rubyonrails Rails	Version 4.2.0 rc2
Rubyonrails Rails	Version 4.2.0 rc3
Rubyonrails Rails	Version 4.2.1
Rubyonrails Rails	Version 4.2.1 rc1
Rubyonrails Rails	Version 4.2.1 rc2
Rubyonrails Rails	Version 4.2.1 rc3
Rubyonrails Rails	Version 4.2.1 rc4
Rubyonrails Rails	Version 4.2.2
Rubyonrails Rails	Version 4.2.3
Rubyonrails Rails	Version 4.2.3 rc1
Rubyonrails Rails	Version 4.2.4
Rubyonrails Rails	Version 4.2.4 rc1
Rubyonrails Rails	Version 4.2.5
Rubyonrails Rails	Version 4.2.5 rc1
Rubyonrails Rails	Version 4.2.5 rc2
Rubyonrails Rails	Version 5.0.0 beta1
Rubyonrails Ruby On Rails	Up to 3.2.22
Rubyonrails Ruby On Rails	Version 4.0.10 rc2
Rubyonrails Ruby On Rails	Version 4.0.11.1
Rubyonrails Ruby On Rails	Version 4.0.11
Rubyonrails Ruby On Rails	Version 4.0.12
Rubyonrails Ruby On Rails	Version 4.0.13
Rubyonrails Ruby On Rails	Version 4.0.13 rc1
Rubyonrails Ruby On Rails	Version 4.1.11