CVSS v3.x: 9.8 (Critical)
- >= 1.0.3
With the consul ruby gem before 1.0.3, if a controller checks multiple powers
:except conditions, these conditions are erroneously applied
to all power checks in that controller. This can lead to skipped power checks
and hence unauthenticated access to certain controller actions.