184 matches found
CVE-2019-16109
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records wou...
CVE-2019-16109
CVE-2019-16109 affects Plataformatec Devise before 4.7.1. The flaw allows account confirmation when a request carries a blank confirmation_token and a database record has a blank token, though there is no scenario within Devise where such records would exist. Red Hat/NVDOSV/Nessus attest to the s...
Devise Gem for Ruby confirmation token validation with a blank string
Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist...
CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
DEBIAN-CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
UBUNTU-CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
Design/Logic Flaw
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
CVE-2019-5421
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the incrementfailedattempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests c...
CVE-2019-5421
CVE-2019-5421 affects Plataformatec Devise up to version 4.5.0 (and earlier) where the lockable module, specifically Devise::Models::Lockable,#increment_failed_attempts, contains a CWE-367 race condition. This can allow multiple concurrent requests to bypass blocking of brute-force attempts, with...
GHSA-73RF-6MRF-759Q devise Time-of-check Time-of-use Race Condition vulnerability
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use TOCTOU race condition due to incrementfailedattempts within the Devise::Models::Lockable class not being concurrency safe...
devise Time-of-check Time-of-use Race Condition vulnerability
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use TOCTOU race condition due to incrementfailedattempts within the Devise::Models::Lockable class not being concurrency safe...
Time-of-check To Time-of-Use (TOCTOU)
devise is vulnerable to time-of-check to time-of-use TOCTOU attacks. The vulnerability exists through a concurrency issue where using :lockable could allow a user to perform an action multiple times while the backend counts these as 1 attempt only...
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use TOCTOU race condition due to incrementfailedattempts within the Devise::Models::Lockable class not being concurrency safe...
Regular Expression Denial Of Service (ReDoS)
devise-security is vulnerable to regular expression denial of service ReDoS attacks. The vulnerability exists due to the usage of a vulnerable regular expression that allows a malicious string to cause a ReDoS attack when parsed...
GHSA-X489-JJWM-52G7 Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 § 5.2 and does not "burn" a successfully validated one-time password aka OTP, which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing ...
Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 § 5.2 and does not "burn" a successfully validated one-time password aka OTP, which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing ...
Information Disclosure During Authentication
devise-i18n is vulnerable to information disclosure. The devise library uses devise.failure.invalid when a user attempts to log in with a valid user name, but an incorrect password; it uses devise.failure.notfoundindatabase when the user name does not exist. In a default installation of devise th...