LOW 3.7
GHSA-p692-7mm3-3fxg
actionpack is vulnerable to remote bypass authentication
Details
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2015-7576 [ADVISORY]
- https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbd [WEB]
- https://github.com/rails/rails [PACKAGE]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7576.yml [WEB]
- https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k [WEB]
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ [WEB]
- https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816 [WEB]
- https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81803 [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html [WEB]
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html [WEB]
- http://rhn.redhat.com/errata/RHSA-2016-0296.html [WEB]
- http://www.debian.org/security/2016/dsa-3464 [WEB]
- http://www.openwall.com/lists/oss-security/2016/01/25/8 [WEB]