Lucene search

GoogleOSV:CVE-2024-8796

HistorySep 17, 2024 - 6:15 p.m.

CVE-2024-8796

2024-09-1718:15:05

Google

osv.dev

devise-two-factor

totp

shared secret

multi-factor authentication

rfc 4226

vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.4

Confidence

High

JSON

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

References

github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2

security-tracker.debian.org/tracker/CVE-2024-8796

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.4

Confidence

High

JSON

Related for OSV:CVE-2024-8796