184 matches found
Insufficient Entropy
Overview Affected versions of this package are vulnerable to Insufficient Entropy due to the use of an insufficient default, OTP shared secret length. Workaround If upgrading to the fixed version is not possible, users are advised to override the default otpsecretlength attribute in the model whe...
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
Summary Under the default configuration, Devise-Two-Factor versions 1.0.0 or = 4.0.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make ...
CVE-2024-8796
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
CVE-2024-8796
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
DEBIAN-CVE-2024-8796
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
UBUNTU-CVE-2024-8796
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
CVE-2024-8796 Insufficient Default OTP Shared Secret Length
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
CVE-2024-8796 Insufficient Default OTP Shared Secret Length
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
CVE-2024-8796
CVE-2024-8796 affects the Devise-Two-Factor library. Under default configuration, versions >= 2.2.0 and
CVE-2024-8796
Under the default configuration, Devise-Two-Factor versions = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an...
Devise-Two-Factor 安全漏洞
Devise-Two-Factor is a minimalist extension of Devise to the Devise-Two-Factor open source. It is used to provide support for two-factor authentication via TOTP schemes. A security vulnerability exists in Devise-Two-Factor versions 2.2.0 and earlier and 6.0.0 and earlier, which stems from an...
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
Summary Under the default configuration, Devise-Two-Factor version = 2.2.0 & 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier...
Ruby On Rails Devise Authentication Password Reset
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'rexml/element' class MetasploitModule 'Ruby on Rails Devise Authentication Password Reset', 'Description' = %q The Devise authentication gem for Ruby on Rails i...
GHSA-W3Q8-M492-4PWP Possibility to circumvent the invitation token expiry period
Impact The invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. When using the password reset functionality, the deviseinvitable gem always accepts the pending invitation if the user has been invited as shown in this piece...
Operation on a Resource after Expiration or Release
Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...
Operation on a Resource after Expiration or Release
Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...
PT-2024-13556 · Rubygems +2 · Devise Invitable +3
Name of the Vulnerable Software and Affected Versions: decidim versions 0.0.1.alpha3 through 0.26.8 decidim-admin versions 0.0.1.alpha3 through 0.26.8 decidim-system versions 0.0.1.alpha3 through 0.26.8 devise invitable versions 0.4.rc3 through 2.0.8 Description: The invites feature in the devise...
GHSA-CHCR-X7HC-8FP8 Devise-Two-Factor vulnerable to brute force attacks
Advisory withdrawn The backing CVE has been rejected Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2F...
Brute Force Attack
devise-two-factor is vulnerable to Brute Force Attack. The vulnerability is due to a lack of attempt restriction of login attempts in Devise-Two-Factor. This issue, when combined with the inherent entropy limitations of the Time-based One-Time Password TOTP algorithm, This allows an attacker to...
Devise-Two-Factor vulnerable to brute force attacks
Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's TOTP inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks. Impact If a...