VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-d7rs-7c74-xkex

Essentials
Severities (21)
References (16)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-d7rs-7c74-xkex
Aliases	CVE-2009-2422 GHSA-rxq3-gm4p-5fj4
Summary	Improper Authentication The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context-dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-287	Improper Authentication
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	9.8	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
generic_textual	CRITICAL	http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
cvssv3.1	9.8	http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
generic_textual	CRITICAL	http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
epss	0.00403	https://api.first.org/data/v1/epss?cve=CVE-2009-2422
cvssv3.1	9.8	https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
generic_textual	CRITICAL	https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
cvssv3.1	9.8	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
generic_textual	CRITICAL	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2009-2422
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2009-2422
cvssv3.1	9.8	http://support.apple.com/kb/HT4077
generic_textual	CRITICAL	http://support.apple.com/kb/HT4077
cvssv3.1	9.8	https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
generic_textual	CRITICAL	https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
cvssv3.1	9.8	https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
generic_textual	CRITICAL	https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
cvssv3	9.8	http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
cvssv3.1	9.8	http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
generic_textual	CRITICAL	http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest

Reference id	Reference type	URL
		http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
		http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s
		https://api.first.org/data/v1/epss?cve=CVE-2009-2422
		http://secunia.com/advisories/35702
		https://exchange.xforce.ibmcloud.com/vulnerabilities/51528
		http://support.apple.com/kb/HT4077
		https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702
		https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579
		http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest
		http://www.securityfocus.com/bid/35579
		http://www.vupen.com/english/advisories/2009/1802
535896		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535896
CVE-2009-2422		https://nvd.nist.gov/vuln/detail/CVE-2009-2422
CVE-2009-2422.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml
GHSA-rxq3-gm4p-5fj4		https://github.com/advisories/GHSA-rxq3-gm4p-5fj4
GLSA-200912-02		https://security.gentoo.org/glsa/200912-02

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://exchange.xforce.ibmcloud.com/vulnerabilities/51528

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2009-2422.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2009-2422

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://support.apple.com/kb/HT4077

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20090711160153/http://secunia.com/advisories/35702

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://web.archive.org/web/20200229192617/http://www.securityfocus.com/bid/35579

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.61174
EPSS Score	0.00403
Published At	May 30, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-05-30T20:53:12.884912+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rails/CVE-2009-2422.yml	38.6.0