Description
The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Remediation
References
Related Vulnerabilities
Drupal Core 4.6.x Session Fixation (4.6.0 - 4.6.5)
IBMHttpServer Other Vulnerability (CVE-2004-0492)
MODX CVE-2017-7323 Vulnerability (CVE-2017-7323)
WordPress Plugin Shortlinks by Pretty Links-Best WordPress Link Tracking SQL Injection (1.6.7)
WordPress Plugin Ultimate Appointment Booking & Scheduling Cross-Site Scripting (1.1.9)