CVE-2015-7576

LOW Year: 2015
CVSS v3 Score
3.7
Low
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-254
View all →

Vulnerability Description

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Related Vulnerabilities

CVE-2016-0240

LOW
CVSS:3.7(Low)

IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 does not enable the HSTS protection mechanism, which makes it easier for...

CWE-2542016

CVE-2016-0266

LOW
CVSS:3.7(Low)

IBM AIX 5.3, 6.1, 7.1, and 7.2 and VIOS 2.2.x do not default to the latest TLS version, which makes it easier for man-in-the-middle attackers to obtain sensitive information via unspecified vectors.

CWE-2542016

CVE-2016-1551

LOW
CVSS:3.7(Low)

ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clock...

CWE-2542016

CVE-2016-5702

LOW
CVSS:3.7(Low)

phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.

CWE-2542016

CVE-2016-4751

LOW
CVSS:3.5(Low)

The Safari Tabs component in Apple Safari before 10 allows remote attackers to spoof the address bar of a tab via a crafted web site.

CWE-2542016

CVE-2015-4960

MEDIUM
CVSS:4.1(Medium)

IBM InfoSphere Master Data Management - Collaborative Edition 9.1, 10.1, 11.0 before 11.0.0.0 IF11, 11.3 before 11.3.0.0 IF7, and 11.4 before 11.4.0.4 IF1 allows remote authenticated users to conduct ...

CWE-2542015