Ruby/devise/3.5.10
Flexible authentication solution for Rails with Warden
https://rubygems.org/gems/devise
MIT
4 Security Vulnerabilities
devise Time-of-check Time-of-use Race Condition vulnerability
Published date: 2019-03-19T18:03:25Z
CVE: CVE-2019-5421
Links:
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Authentication Bypass in Devise
Published date: 2019-09-11T23:06:57Z
CVE: CVE-2019-16109
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16109
- https://github.com/advisories/GHSA-fcjw-8rhj-gwwc
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
- https://github.com/plataformatec/devise/issues/5071
- https://github.com/plataformatec/devise/pull/5132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2019-16109.yml
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby confirmation token validation with a blank string
Published date: 2019-09-08
CVE: 2019-16109
CVSS V3: 5.3
Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist.
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Published date: 2019-02-07
CVE: 2019-5421
CVSS V2: 7.5
CVSS V3: 9.8
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
167 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.5.5 | UNKNOWN | 8 | 2009-11-19 - 22:55 | over 15 years |
| 0.5.4 | UNKNOWN | 8 | 2009-11-19 - 15:14 | over 15 years |
| 0.5.3 | UNKNOWN | 8 | 2009-11-18 - 11:48 | over 15 years |
| 0.5.2 | UNKNOWN | 8 | 2009-11-17 - 19:39 | over 15 years |
| 0.5.1 | UNKNOWN | 8 | 2009-11-15 - 20:15 | over 15 years |
| 0.5.0 | UNKNOWN | 8 | 2009-11-14 - 02:01 | over 15 years |
| 0.4.3 | UNKNOWN | 8 | 2009-11-10 - 03:01 | over 15 years |
| 0.4.2 | UNKNOWN | 8 | 2009-11-06 - 20:01 | over 15 years |
| 0.4.1 | UNKNOWN | 8 | 2009-11-04 - 03:34 | over 15 years |
| 0.4.0 | UNKNOWN | 8 | 2009-11-03 - 16:29 | over 15 years |
| 0.3.0 | UNKNOWN | 8 | 2009-10-30 - 13:43 | over 15 years |
| 0.2.3 | UNKNOWN | 8 | 2009-10-29 - 18:10 | over 15 years |
| 0.2.2 | UNKNOWN | 8 | 2009-10-28 - 13:33 | over 15 years |
| 0.2.1 | UNKNOWN | 8 | 2009-10-28 - 03:12 | over 15 years |
| 0.2.0 | UNKNOWN | 8 | 2009-10-25 - 01:45 | over 15 years |
| 0.1.1 | UNKNOWN | 8 | 2009-10-21 - 20:07 | over 15 years |
| 0.1.0 | UNKNOWN | 8 | 2009-10-21 - 05:34 | over 15 years |