This CPE summary could be partial or incomplete. Please contact us for a detailed listing.


Vendor David Hansson First view 2009-07-10
Product Ruby On Rails Last view 2009-07-10
Version Type Application
Sofware Edition  
Target Software  
Target Hardware  

Activity : Overall


CPE Name Affected CVE
cpe:2.3:a:david_hansson:ruby_on_rails:2.3.3:*:*:*:*:*:*:* 1

Related : CVE

  Date Alert Description
7.5 2009-07-10 CVE-2009-2422

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

CWE : Common Weakness Enumeration

100% (1) CWE-287 Improper Authentication

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-22 Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-57 Utilizing REST's Trust in the System Resource to Register Man in the Middle
CAPEC-94 Man in the Middle Attack
CAPEC-114 Authentication Abuse

Open Source Vulnerability Database (OSVDB)

id Description
55664 Ruby on Rails HTTP Digest Authentication nil User Bypass

OpenVAS Exploits

id Description
2010-05-12 Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2009-12-30 Name : Gentoo Security Advisory GLSA 200912-02 (rails)
File : nvt/glsa_200912_02.nasl
2009-07-17 Name : Ruby on Rails Authentication Bypass Vulnerability
File : nvt/gb_ruby_rails_auth_bypass_vuln.nasl

Nessus® Vulnerability Scanner

id Description
2010-03-29 Name: The remote host is missing a Mac OS X update that fixes various security issues.
File: macosx_10_6_3.nasl - Type: ACT_GATHER_INFO
2010-03-29 Name: The remote host is missing a Mac OS X update that fixes various security issues.
File: macosx_SecUpd2010-002.nasl - Type: ACT_GATHER_INFO
2009-12-22 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-200912-02.nasl - Type: ACT_GATHER_INFO
2009-07-21 Name: The remote web server contains an application that is prone to an authenticat...
File: ror_http_digest_bypass.nasl - Type: ACT_ATTACK