Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Security vulnerability: Multiple powers in one controller are not always checked correctly #49
We have identified a security issue in consul. When a controller has multiple power directives, the :only and :except options of the last directive is applied to all directives. This can lead to unauthenticated access to certain controller actions.
Affected versions: <= 1.0.2
Affected code looks like this:
class UsersController < ApplicationController power :foo power :bar, only: :index ... end
In this example both the powers :foo and :bar are only checked for the #index action. Other actions were left unprotected by powers checks.
Controllers with a single power directive are unaffected. Controllers where neither power uses :only or :except options are unaffected.
This vulnerability has been assigned the CVE identifier CVE-2019-16377.