The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails prior to 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent malicious users to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
rubyonrails ruby on rails |
||
apple mac os x 10.5.8 |
||
apple mac os x server 10.5.8 |
||
apple mac os x |
||
apple mac os x server |