CVE-2024-8796

2024-09-1718:15:05

Debian Security Bug Tracker

security-tracker.debian.org

devise-two-factor

totp shared secret

rfc 4226

multi-factor authentication

vulnerability

attacker

guessing

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.6%

JSON

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

OSVersionArchitecturePackageVersionFilename
Debian12allruby-devise-two-factor<= 4.0.2-1ruby-devise-two-factor_4.0.2-1_all.deb
Debian11allruby-devise-two-factor<= 3.1.0-2ruby-devise-two-factor_3.1.0-2_all.deb
Debian999allruby-devise-two-factor<= 4.0.2-1ruby-devise-two-factor_4.0.2-1_all.deb
Debian13allruby-devise-two-factor<= 4.0.2-1ruby-devise-two-factor_4.0.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ruby-devise-two-factor	<= 4.0.2-1	ruby-devise-two-factor_4.0.2-1_all.deb
Debian	11	all	ruby-devise-two-factor	<= 3.1.0-2	ruby-devise-two-factor_3.1.0-2_all.deb
Debian	999	all	ruby-devise-two-factor	<= 4.0.2-1	ruby-devise-two-factor_4.0.2-1_all.deb
Debian	13	all	ruby-devise-two-factor	<= 4.0.2-1	ruby-devise-two-factor_4.0.2-1_all.deb