This CPE summary could be partial or incomplete. Please contact us for a detailed listing.
Summary
| Detail | |||
|---|---|---|---|
| Vendor | David Hansson | First view | 2009-07-10 |
| Product | Ruby On Rails | Last view | 2009-07-10 |
| Version | Type | Application | |
| Update | |||
| Edition | |||
| Language | |||
| Sofware Edition | |||
| Target Software | |||
| Target Hardware | |||
| Other | |||
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
| CPE Name | Affected CVE |
|---|---|
| cpe:2.3:a:david_hansson:ruby_on_rails:2.3.3:*:*:*:*:*:*:* | 1 |
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 7.5 | 2009-07-10 | CVE-2009-2422 | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (1) | CWE-287 | Improper Authentication |
CAPEC : Common Attack Pattern Enumeration & Classification
| id | Name |
|---|---|
| CAPEC-22 | Exploiting Trust in Client (aka Make the Client Invisible) |
| CAPEC-57 | Utilizing REST's Trust in the System Resource to Register Man in the Middle |
| CAPEC-94 | Man in the Middle Attack |
| CAPEC-114 | Authentication Abuse |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 55664 | Ruby on Rails HTTP Digest Authentication nil User Bypass |
OpenVAS Exploits
| id | Description |
|---|---|
| 2010-05-12 | Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002 File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl |
| 2009-12-30 | Name : Gentoo Security Advisory GLSA 200912-02 (rails) File : nvt/glsa_200912_02.nasl |
| 2009-07-17 | Name : Ruby on Rails Authentication Bypass Vulnerability File : nvt/gb_ruby_rails_auth_bypass_vuln.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2010-03-29 | Name: The remote host is missing a Mac OS X update that fixes various security issues. File: macosx_10_6_3.nasl - Type: ACT_GATHER_INFO |
| 2010-03-29 | Name: The remote host is missing a Mac OS X update that fixes various security issues. File: macosx_SecUpd2010-002.nasl - Type: ACT_GATHER_INFO |
| 2009-12-22 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200912-02.nasl - Type: ACT_GATHER_INFO |
| 2009-07-21 | Name: The remote web server contains an application that is prone to an authenticat... File: ror_http_digest_bypass.nasl - Type: ACT_ATTACK |
