CVE-2009-2422 (retired)

Priority
Description
The example code for the digest authentication functionality
(http_authentication.rb) in Ruby on Rails before 2.3.3 defines an
authenticate_or_request_with_http_digest block that returns nil instead of
false when the user does not exist, which allows context-dependent
attackers to bypass authentication for applications that are derived from
this example by sending an invalid username without a password.
Notes
Package
Source: rails (LP Ubuntu Debian)
Upstream:released (2.3.3)
More Information

Updated: 2019-10-09 07:18:20 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)