Описание
Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly
With the consul ruby gem before 1.0.3, if a controller checks multiple powers using :if or :except conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-16377
- https://github.com/makandra/consul/issues/49
- https://github.com/rubysec/ruby-advisory-db/blob/c26fbc13435b8be448ad59131428538049d165e4/gems/consul/CVE-2019-16377.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/consul/CVE-2019-16377.yml
- https://rubygems.org/gems/consul
Пакеты
Наименование
consul
rubygems
Затронутые версииВерсия исправления
< 1.0.3
1.0.3
Связанные уязвимости
CVSS3: 9.8
nvd
больше 6 лет назад
The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Control.