Description
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
Remediation
References
Related Vulnerabilities
WordPress Plugin Jigoshop Information Disclosure (1.17.9)
WordPress Plugin Redux Framework Cross-Site Scripting (4.4.17)
WordPress Plugin Live Comment Preview Cross-Site Scripting (2.0.2)
Magento XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2022-34253)
IBM RTC Improper Input Validation Vulnerability (CVE-2015-1928)