Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2009-2422

Published: 10/07/2009 Updated: 13/02/2024
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Ruby On Rails

Vulnerability Summary

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails prior to 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent malicious users to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

Vulnerable Product Search on Vulmon Subscribe to Product

rubyonrails ruby on rails

apple mac os x 10.5.8

apple mac os x server 10.5.8

apple mac os x

apple mac os x server

Vendor Advisories

Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: The example code for the digest authentication functionality (http_authenticationrb) in Ruby on Rails before 233 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass ...

References

CWE-287http://secunia.com/advisories/35702http://www.vupen.com/english/advisories/2009/1802http://www.securityfocus.com/bid/35579http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digesthttp://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3shttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://support.apple.com/kb/HT4077https://exchange.xforce.ibmcloud.com/vulnerabilities/51528https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2009-2422
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21987buffer overflowCVE-2024-28890CVE-2024-27574CVE-2024-27347CVE-2024-31450privilegeSSTICVE-2024-31666
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook