Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly
Published: September 23, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-16377 (NVD)
- GHSA: GHSA-8jhx-9gf4-hhf5
- Vendor Advisory: https://github.com/makandra/consul/issues/49
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
>= 1.0.3
DESCRIPTION
With the consul ruby gem before 1.0.3, if a controller checks multiple powers
using :if or :except conditions, these conditions are erroneously applied
to all power checks in that controller. This can lead to skipped power checks
and hence unauthenticated access to certain controller actions.