Lucene search
GoogleOSV:GHSA-JM35-H8Q2-73MPHistoryApr 07, 2022 - 10:09 p.m.
Improper one time password handling in devise-two-factor
2022-04-0722:09:03
Google
osv.dev
5
0.002 Low
EPSS
Percentile
61.7%
Impact
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval.
Patches
This vulnerability has been patched in version 4.0.2 which was released on March 24th, 2022. Individuals using this package are strongly encouraged to upgrade as soon as possible.
Credit for discovery
Benoit Cรดtรฉ-Jodoin
Michael Nipper - https://github.com/tinfoil/devise-two-factor/issues/106
Related
cve
cve
CVE-2021-43177
2022-04-11 20:15:16
CVE-2015-7225
2017-09-06 21:29:00
cvelist
cvelist
CVE-2021-43177
2022-04-11 19:37:40
CVE-2015-7225
2017-09-06 21:00:00
github
github
Improper one time password handling in devise-two-factor
2022-04-07 22:09:03
nvd
nvd
CVE-2021-43177
2022-04-11 20:15:16
CVE-2015-7225
2017-09-06 21:29:00
debiancve
debiancve
CVE-2021-43177
2022-04-11 20:15:16
CVE-2015-7225
2017-09-06 21:29:00
ubuntucve
ubuntucve
CVE-2021-43177
2022-04-11 00:00:00
CVE-2015-7225
2017-09-06 00:00:00
prion
prion
Design/Logic Flaw
2022-04-11 20:15:00
Code injection
2017-09-06 21:29:00
veracode
veracode
Time-Based One-Time Password Algorithm (TOPT) Replay Attack
2022-04-12 07:15:00
osv
osv
CVE-2021-43177
2022-04-11 20:15:16
rubygems
rubygems
Improper one time password handling in devise-two-factor
2022-04-06 21:00:00