RubySec

Providing security resources for the Ruby community

CVE-2019-16377 (consul): Consul gem insufficient authentication check: Multiple powers in one controller are not always checked correctly

ADVISORIES

GEM

consul

PATCHED VERSIONS

  • >= 1.0.3

DESCRIPTION

With the consul ruby gem before 1.0.3, if a controller checks multiple powers using :if or :except conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions.