Updated advisory posts against rubysec/ruby-advisory-db@14adbb4

jasnow · RubySec CI · commit 91a2c5ef70b8 · 2024-02-14T19:40:49.000Z
diff --git a/advisories/_posts/2009-07-10-CVE-2009-2422.md b/advisories/_posts/2009-07-10-CVE-2009-2422.md
@@ -0,0 +1,38 @@
+---
+layout: advisory
+title: 'CVE-2009-2422 (rails): High Security Vulnerability with authenticate_with_http_digest
+  of Rails'
+comments: false
+categories:
+- rails
+- rails
+advisory:
+  gem: rails
+  framework: rails
+  cve: 2009-2422
+  ghsa: rxq3-gm4p-5fj4
+  url: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
+  title: High Security Vulnerability with authenticate_with_http_digest of Rails
+  date: 2009-07-10
+  description: |
+    The example code for the digest authentication functionality
+    (http_authentication.rb) in Ruby on Rails before 2.3.3 defines
+    an authenticate_or_request_with_http_digest block that returns
+    nil instead of false when the user does not exist, which allows
+    context-dependent attackers to bypass authentication for
+    applications that are derived from this example by sending an
+    invalid username without a password.
+  cvss_v2: 7.5
+  cvss_v3: 9.8
+  patched_versions:
+  - ">= 2.3.3"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-2422
+    - http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
+    - https://lists.apple.com/archives/security-announce/2010/Mar/msg00001.html
+    - https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
+    - http://support.apple.com/kb/HT4077
+    - http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
+    - https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
+---
