Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: consul
date: 2019-09-23
cve: 2019-16377
title: 'Consul gem insufficient authentication check: Multiple powers in one controller
  are not always checked correctly

description: |
  With the consul ruby gem before 1.0.3, if a controller checks multiple powers
  using `:if` or `:except` conditions, these conditions are erroneously applied
  to all power checks in that controller. This can lead to skipped power checks
  and hence unauthenticated access to certain controller actions.
- ">= 1.0.3"