Lucene search

K

GoogleOSV:GHSA-P692-7MM3-3FXG

HistoryOct 24, 2017 - 6:33 p.m.

actionpack is vulnerable to remote bypass authentication

2017-10-2418:33:36

Google

osv.dev

10

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.019 Low

EPSS

Percentile

88.2%

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

CPENameOperatorVersion
actionpackeq3.1.1.rc1
actionpackeq3.2.6
actionpackeq4.0.6.rc1
actionpackeq3.2.14.rc2
actionpackeq3.2.20
actionpackeq4.0.4.rc1
actionpackeq3.2.15.rc1
actionpackeq4.0.1.rc3
actionpackeq3.2.8.rc1
actionpackeq4.1.14

Rows per page:

1-10 of 1221

References

lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html

lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

lists.opensuse.org/opensuse-updates/2016-02/msg00034.html

lists.opensuse.org/opensuse-updates/2016-02/msg00043.html

rhn.redhat.com/errata/RHSA-2016-0296.html

www.debian.org/security/2016/dsa-3464

www.openwall.com/lists/oss-security/2016/01/25/8

github.com/rails/rails

github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbd

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7576.yml

groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ

nvd.nist.gov/vuln/detail/CVE-2015-7576

web.archive.org/web/20160405205300/www.securitytracker.com/id/1034816

web.archive.org/web/20200228001849/www.securityfocus.com/bid/81803

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.019 Low

EPSS

Percentile

88.2%

Related for OSV:GHSA-P692-7MM3-3FXG

openvas7 osv2 github1 ubuntucve1 fedora5 hackerone1 prion1 veracode1 nessus10 cve1 debiancve1 rubygems1 debian3 redhat3 ibm1 freebsd1 suse1