We have identified a security issue in consul. When a controller has multiple power directives, the :only and :except options of the last directive is applied to all directives. This can lead to unauthenticated access to certain controller actions.
Affected versions: <= 1.0.2
Fixed versions: 1.0.3
Affected code looks like this:
classUsersController < ApplicationControllerpower:foopower:bar,only: :index
...
end
In this example both the powers :foo and :bar are only checked for the #index action. Other actions were left unprotected by powers checks.
Controllers with a single power directive are unaffected. Controllers where neither power uses :only or :except options are unaffected.
This vulnerability has been assigned the CVE identifier CVE-2019-16377.
The text was updated successfully, but these errors were encountered:
We have identified a security issue in consul. When a controller has multiple power directives, the :only and :except options of the last directive is applied to all directives. This can lead to unauthenticated access to certain controller actions.
Affected versions: <= 1.0.2
Fixed versions: 1.0.3
Affected code looks like this:
In this example both the powers :foo and :bar are only checked for the #index action. Other actions were left unprotected by powers checks.
Controllers with a single power directive are unaffected. Controllers where neither power uses :only or :except options are unaffected.
This vulnerability has been assigned the CVE identifier CVE-2019-16377.
The text was updated successfully, but these errors were encountered: