CVE-2015-7576

Name: CVE-2015-7576
Creator: NVD / NIST
Published: 2016-02-16T02:59:00.11+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.86%

Last modified Jun 17, 2026

CVE-2015-7576 is a vulnerability of currently unknown severity. The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.. EPSS estimates a 4.86% chance of exploitation in the next 30 days.

Description

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Metrics

EPSS Probability

4.86%

90.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-254

Affected Software

Vendor	Product	Versions	Update
Rubyonrails	Rails	4.0.0	—
Rubyonrails	Rails	4.0.1	—
Rubyonrails	Rails	4.0.2	—
Rubyonrails	Rails	4.0.3	—
Rubyonrails	Rails	4.0.4	—
Rubyonrails	Rails	4.0.5	—
Rubyonrails	Rails	4.0.6	—
Rubyonrails	Rails	4.0.7	—
Rubyonrails	Rails	4.0.8	—
Rubyonrails	Rails	4.0.9	—
Rubyonrails	Rails	4.0.10	—
Rubyonrails	Rails	4.1.0	—
Rubyonrails	Rails	4.1.1	—
Rubyonrails	Rails	4.1.2	—
Rubyonrails	Rails	4.1.3	—
Rubyonrails	Rails	4.1.4	—
Rubyonrails	Rails	4.1.5	—
Rubyonrails	Rails	4.1.6	—
Rubyonrails	Rails	4.1.7	—
Rubyonrails	Rails	4.1.7.1	—
Rubyonrails	Rails	4.1.8	—
Rubyonrails	Rails	4.1.9	—
Rubyonrails	Rails	4.1.10	—
Rubyonrails	Rails	4.1.12	—
Rubyonrails	Rails	4.1.13	—
Rubyonrails	Rails	4.1.14	—
Rubyonrails	Rails	4.2.0	—
Rubyonrails	Rails	4.2.1	—
Rubyonrails	Rails	4.2.2	—
Rubyonrails	Rails	4.2.3	—
Rubyonrails	Rails	4.2.4	—
Rubyonrails	Rails	4.2.5	—
Rubyonrails	Rails	5.0.0	Beta1
Rubyonrails	Ruby On Rails	<= 3.2.22	—
Rubyonrails	Ruby On Rails	4.0.10	Rc2
Rubyonrails	Ruby On Rails	4.0.11	—
Rubyonrails	Ruby On Rails	4.0.11.1	—
Rubyonrails	Ruby On Rails	4.0.12	—
Rubyonrails	Ruby On Rails	4.0.13	—
Rubyonrails	Ruby On Rails	4.1.11	—

References

Timeline

Published: Feb 16, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-7576?

How severe is CVE-2015-7576?

Severity scoring for CVE-2015-7576 is pending analysis. The EPSS model estimates a 4.86% probability of exploitation in the next 30 days.

How do I fix CVE-2015-7576?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-7576?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST