Daniel Waterworth

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 3.2.22.1 Ruby on Rails versions 4.0.x through 4.1.14 Ruby on Rails versions 4.2.x through 4.2.5 Ruby on Rails versions 5.x through 5.0.0.beta1 **Description** The issue is related to the http basic authenticate with method in the Basic Authentication implementation in Action Controller, which does not use a constant-time algorithm for verifying credentials. This makes it easier for remote attackers to bypass authentication by measuring timing differences. The vulnerability can be exploited by a remote attacker to bypass the authentication procedure. **Recommendations** For Ruby on Rails versions prior to 3.2.22.1, update to version 3.2.22.1 or later. For Ruby on Rails versions 4.0.x through 4.1.14, update to version 4.1.14.1 or later. For Ruby on Rails versions 4.2.x through 4.2.5, update to version 4.2.5.1 or later. For Ruby on Rails versions 5.x through 5.0.0.beta1, update to version 5.0.0.beta1.1 or later.