CVE-2019-16377 (consul): Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly

September 23rd, 2019

ADVISORIES

CVE-2019-16377 (NVD)
GHSA-8jhx-9gf4-hhf5
Vendor Advisory

GEM

consul

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

>= 1.0.3

DESCRIPTION

With the consul ruby gem before 1.0.3, if a controller checks multiple powers using :if or :except conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions.

RubySec

CVE-2019-16377 (consul): Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

Recent Advisories