DEBIAN-CVE-2009-2422

DEBIAN-CVE-2009-2422 PUBLISHED CVSS 9.800000190734863 CRITICAL

The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:13	rails	0, 0, 0
Debian:14	rails	0, 0, 0
Debian:11	rails	0, 0, 0
Debian:12	rails	0, 0, 0

Timeline

Jul 10, 2009 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2009-2422 advisory

Open in Interactive Console →