CVE-2019-5421
devise Critical
Authentication
Discovered 12 months ago
Published over 2 years ago
Category: Authentication
Source: GitHub
Severity: Critical

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.6.0

Unaffected Versions

n/a

References

n/a

CVE-2015-8314
devise Critical
Authentication
Discovered 12 months ago
Published over 5 years ago
Category: Authentication
Severity: Critical

Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 3.5.4

Unaffected Versions

n/a

References

n/a