CVE-2009-2422

Source
https://nvd.nist.gov/vuln/detail/CVE-2009-2422
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2009-2422.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2009-2422
Aliases
Published
2009-07-10T15:30:00Z
Modified
2024-09-11T02:00:06Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The example code for the digest authentication functionality (httpauthentication.rb) in Ruby on Rails before 2.3.3 defines an authenticateorrequestwithhttpdigest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

References

Affected packages

Debian:11 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / rails

Package

Name
rails
Purl
pkg:deb/debian/rails?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}