Summary
Detail | |||
---|---|---|---|
Vendor | David Hansson | First view | 2009-07-10 |
Product | Ruby On Rails | Last view | 2009-07-10 |
Version | Type | Application | |
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
CPE Name | Affected CVE |
---|---|
cpe:2.3:a:david_hansson:ruby_on_rails:2.3.3:*:*:*:*:*:*:* | 1 |
Related : CVE
Date | Alert | Description | |
---|---|---|---|
7.5 | 2009-07-10 | CVE-2009-2422 | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
100% (1) | CWE-287 | Improper Authentication |
CAPEC : Common Attack Pattern Enumeration & Classification
id | Name |
---|---|
CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
CAPEC-94 | Man in the Middle Attack |
CAPEC-114 | Authentication Abuse |
Open Source Vulnerability Database (OSVDB)
id | Description |
---|---|
55664 | Ruby on Rails HTTP Digest Authentication nil User Bypass |
OpenVAS Exploits
id | Description |
---|---|
2010-05-12 | Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002 File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl |
2009-12-30 | Name : Gentoo Security Advisory GLSA 200912-02 (rails) File : nvt/glsa_200912_02.nasl |
2009-07-17 | Name : Ruby on Rails Authentication Bypass Vulnerability File : nvt/gb_ruby_rails_auth_bypass_vuln.nasl |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2010-03-29 | Name: The remote host is missing a Mac OS X update that fixes various security issues. File: macosx_10_6_3.nasl - Type: ACT_GATHER_INFO |
2010-03-29 | Name: The remote host is missing a Mac OS X update that fixes various security issues. File: macosx_SecUpd2010-002.nasl - Type: ACT_GATHER_INFO |
2009-12-22 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200912-02.nasl - Type: ACT_GATHER_INFO |
2009-07-21 | Name: The remote web server contains an application that is prone to an authenticat... File: ror_http_digest_bypass.nasl - Type: ACT_ATTACK |