With the consul ruby gem before 1.0.3, if a controller checks multiple powers using :if
or :except
conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions.
github.com/makandra/consul
github.com/makandra/consul/issues/49
github.com/rubysec/ruby-advisory-db/blob/c26fbc13435b8be448ad59131428538049d165e4/gems/consul/CVE-2019-16377.yml
github.com/rubysec/ruby-advisory-db/blob/master/gems/consul/CVE-2019-16377.yml
nvd.nist.gov/vuln/detail/CVE-2019-16377
rubygems.org/gems/consul