Lucene search

SNPSCVE-2024-8796

HistorySep 17, 2024 - 6:15 p.m.

CVE-2024-8796

2024-09-1718:15:05

CWE-331

SNPS

web.nvd.nist.gov

devise-two-factor

totp

multi-factor authentication

rfc 4226

shared secret

attacker

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.4

Confidence

High

EPSS

Percentile

9.6%

JSON

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "packageName": "devise-two-factor",
    "product": "devise-two-factor",
    "vendor": "devise-two-factor",
    "versions": [
      {
        "lessThan": "6.0.0",
        "status": "affected",
        "version": "2.2.0",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.4

Confidence

High

EPSS

Percentile

9.6%

JSON

Related for CVE-2024-8796