Lucene search

SNPSVULNRICHMENT:CVE-2024-8796

HistorySep 17, 2024 - 5:12 p.m.

CVE-2024-8796 Insufficient Default OTP Shared Secret Length

2024-09-1717:12:13

CWE-331

SNPS

github.com

cve-2024-8796

default configuration

devise-two-factor

totp

multi-factor authentication

rfc 4226

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

References

github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-8796