Bug 509564 (CVE-2009-2422) - CVE-2009-2422 rubygem-actionpack: authenticate_with_http_digest authentication bypass
Summary: CVE-2009-2422 rubygem-actionpack: authenticate_with_http_digest authenticatio...
Alias: CVE-2009-2422
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Confidential542055
TreeView+ depends on / blocked
Reported: 2009-07-03 14:59 UTC by Tomas Hoger
Modified: 2010-12-20 22:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-12-20 22:28:21 UTC

Attachments (Terms of Use)

Description Tomas Hoger 2009-07-03 14:59:45 UTC
A flaw was found in HTTP digest authentication code in Ruby on Rails.  This could allow remote attackers to bypass authentication by providing non-existent user name and nil / empty password.

Detailed description, also with workaround:

Upstream patch:

Support for HTTP digest authentication was only introduced in version 2.3, so only F11/Rawhide should be affected by this problem.  Older version 2.1.1 currently in F9, F10 and EPEL5 does not contain affected code.

Comment 1 Tomas Hoger 2009-07-10 15:21:12 UTC
The example code for the digest authentication functionality
(http_authentication.rb) in Ruby on Rails before 2.3.3 defines an
authenticate_or_request_with_http_digest block that returns nil
instead of false when the user does not exist, which allows
context-dependent attackers to bypass authentication for applications
that are derived from this example by sending an invalid username
without a password.

Comment 2 Vincent Danen 2009-11-28 03:42:37 UTC
Fedora 12 currently contains 2.3.4, so this only affects Fedora 11 still.

Comment 4 Rakesh Pandit 2010-05-29 08:32:21 UTC
If this effects only F11, please consider to close it as it is already EOL ?

Note You need to log in before you can comment on or make changes to this bug.