Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: consul
date: 2019-09-23
url: https://github.com/makandra/consul/issues/49
cve: 2019-16377
title: 'Consul gem insufficient authentication check: Multiple powers in one controller
  are not always checked correctly

'
description: |
  With the consul ruby gem before 1.0.3, if a controller checks multiple powers
  using `:if` or `:except` conditions, these conditions are erroneously applied
  to all power checks in that controller. This can lead to skipped power checks
  and hence unauthenticated access to certain controller actions.
patched_versions:
- ">= 1.0.3"