50 matches found
Devise-Two-Factor 安全漏洞
Devise-Two-Factor is a minimalist extension of Devise to the Devise-Two-Factor open source. It is used to provide support for two-factor authentication via TOTP schemes. A security vulnerability exists in Devise-Two-Factor versions 2.2.0 and earlier and 6.0.0 and earlier, which stems from an...
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
Summary Under the default configuration, Devise-Two-Factor version = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier...
GHSA-CHCR-X7HC-8FP8 Devise-Two-Factor vulnerable to brute force attacks
Advisory withdrawn The backing CVE has been rejected Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2F...
Brute Force Attack
devise-two-factor is vulnerable to Brute Force Attack. The vulnerability is due to a lack of attempt restriction of login attempts in Devise-Two-Factor. This issue, when combined with the inherent entropy limitations of the Time-based One-Time Password TOTP algorithm, This allows an attacker to...
Devise-Two-Factor vulnerable to brute force attacks
Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks. Impact If a...
Design/Logic Flaw
Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks...
CVE-2024-0227
Devise-Two-Factor is vulnerable to brute-force attacks due to no throttling of login attempts by default, allowing an attacker to test possible TOTP codes if username/password are compromised. Documents from RubySec and GitHub advisories describe an attacker bypassing 2FA by brute-forcing TOTP, w...
PT-2024-15397 · Unknown · Devise-Two-Factor
Name of the Vulnerable Software and Affected Versions: Devise-Two-Factor affected versions not specified Description: The issue concerns Devise-Two-Factor not throttling or restricting login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP...
Number withdrawn
Devise-Two-Factor is a minimalist extension to Devise. It is used to provide support for two-factor authentication through the TOTP scheme. This CVE number has been withdrawn...
Time-Based One-Time Password Algorithm (TOPT) Replay Attack
devise-two-factor is vulnerable to time-based one-time password algorithm TOPT replay attacks. A remote attacker is able to reuse the one-time-password immediately trailing the interval in order to gain access to the victim's account given that the attacker already knows the victim's credentials...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
DEBIAN-CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
UBUNTU-CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
Design/Logic Flaw
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
CVE-2021-43177
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N...
Devise-Two-Factor 安全漏洞
Devise-Two-Factor is a minimalist extension to Devise. It is used to provide support for two-factor authentication via the TOTP scheme. A security vulnerability in versions of Devise-Two-Factor prior to 4.0.2 allows an attacker to reapply a one-time password OTP to one and only one immediately...
Improper one time password handling in devise-two-factor
Impact As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password OTP for one and only one immediately trailing interval. Patches This vulnerability has been patched in version 4.0.2 which was released on March...