---
gem: consul
cve: 2019-16377
url: https://github.com/makandra/consul/issues/49
title: |
  Consul gem insufficient authentication check: Multiple powers in one controller are not always checked correctly
date: 2019-09-23
description: |
  With the consul ruby gem before 1.0.3, if a controller checks multiple powers
  using `:if` or `:except` conditions, these conditions are erroneously applied
  to all power checks in that controller. This can lead to skipped power checks
  and hence unauthenticated access to certain controller actions.

patched_versions:
  - ">= 1.0.3"