CVE-2009-2422

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 2.3.3

Description The issue concerns the digest authentication functionality in Ruby on Rails, where the example code defines an authenticate or request with http digest block that returns nil instead of false when the user does not exist. This allows attackers to bypass authentication for applications derived from this example by sending an invalid username without a password.

Recommendations For versions prior to 2.3.3, update to version 2.3.3 or later to resolve the issue. As a temporary workaround, consider modifying the authenticate or request with http digest block to return false when the user does not exist, instead of returning nil.