-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2009-2422.yml
29 lines (29 loc) · 1.21 KB
/
CVE-2009-2422.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
gem: rails
framework: rails
cve: 2009-2422
ghsa: rxq3-gm4p-5fj4
url: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
title: High Security Vulnerability with authenticate_with_http_digest of Rails
date: 2009-07-10
description: |
The example code for the digest authentication functionality
(http_authentication.rb) in Ruby on Rails before 2.3.3 defines
an authenticate_or_request_with_http_digest block that returns
nil instead of false when the user does not exist, which allows
context-dependent attackers to bypass authentication for
applications that are derived from this example by sending an
invalid username without a password.
cvss_v2: 7.5
cvss_v3: 9.8
patched_versions:
- ">= 2.3.3"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2009-2422
- http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
- https://lists.apple.com/archives/security-announce/2010/Mar/msg00001.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
- http://support.apple.com/kb/HT4077
- http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
- https://github.com/advisories/GHSA-rxq3-gm4p-5fj4