Ruby/devise/4.0.1
Flexible authentication solution for Rails with Warden
https://rubygems.org/gems/devise
MIT
4 Security Vulnerabilities
devise Time-of-check Time-of-use Race Condition vulnerability
Published date: 2019-03-19T18:03:25Z
CVE: CVE-2019-5421
Links:
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Authentication Bypass in Devise
Published date: 2019-09-11T23:06:57Z
CVE: CVE-2019-16109
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16109
- https://github.com/advisories/GHSA-fcjw-8rhj-gwwc
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
- https://github.com/plataformatec/devise/issues/5071
- https://github.com/plataformatec/devise/pull/5132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2019-16109.yml
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby confirmation token validation with a blank string
Published date: 2019-09-08
CVE: 2019-16109
CVSS V3: 5.3
Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist.
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Published date: 2019-02-07
CVE: 2019-5421
CVSS V2: 7.5
CVSS V3: 9.8
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
167 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 4.9.4 | MIT | 2024-04-10 - 12:27 | about 1 year | |
| 4.9.3 | MIT | 2023-10-11 - 22:08 | over 1 year | |
| 4.9.2 | MIT | 2023-04-03 - 12:23 | over 2 years | |
| 4.9.1 | MIT | 2023-03-31 - 12:39 | over 2 years | |
| 4.9.0 | MIT | 2023-02-17 - 14:14 | over 2 years | |
| 4.8.1 | MIT | 2021-12-16 - 11:07 | over 3 years | |
| 4.8.0 | MIT | 2021-04-29 - 11:52 | about 4 years | |
| 4.7.3 | MIT | 2020-09-21 - 00:21 | almost 5 years | |
| 4.7.2 | MIT | 2020-06-10 - 18:31 | about 5 years | |
| 4.7.1 | MIT | 2019-09-06 - 18:02 | almost 6 years | |
| 4.7.0 | MIT | 2 | 2019-08-19 - 16:47 | almost 6 years |
| 4.6.2 | MIT | 2 | 2019-03-26 - 16:55 | over 6 years |
| 4.6.1 | MIT | 2 | 2019-02-11 - 15:28 | over 6 years |
| 4.6.0 | MIT | 2 | 2019-02-07 - 17:41 | over 6 years |
| 4.5.0 | MIT | 4 | 2018-08-15 - 23:30 | almost 7 years |
| 4.4.3 | MIT | 4 | 2018-03-18 - 00:00 | over 7 years |
| 4.4.2 | MIT | 4 | 2018-03-15 - 13:50 | over 7 years |
| 4.4.1 | MIT | 4 | 2018-01-23 - 18:11 | over 7 years |
| 4.4.0 | MIT | 4 | 2017-12-29 - 19:50 | over 7 years |
| 4.3.0 | MIT | 4 | 2017-05-15 - 00:12 | about 8 years |
| 4.2.1 | MIT | 4 | 2017-03-15 - 15:36 | over 8 years |
| 4.2.0 | MIT | 4 | 2016-07-01 - 17:45 | about 9 years |
| 4.1.1 | MIT | 4 | 2016-05-15 - 15:04 | about 9 years |
| 4.1.0 | MIT | 4 | 2016-05-03 - 02:52 | about 9 years |
| 4.0.3 | MIT | 4 | 2016-05-15 - 15:08 | about 9 years |
| 4.0.2 | MIT | 4 | 2016-05-03 - 02:44 | about 9 years |
| 4.0.1 | MIT | 4 | 2016-04-25 - 20:07 | about 9 years |
| 4.0.0 | MIT | 4 | 2016-04-18 - 14:53 | about 9 years |
| 4.0.0.rc2 | MIT | 4 | 2016-03-09 - 14:31 | over 9 years |
| 4.0.0.rc1 | MIT | 4 | 2016-02-01 - 11:21 | over 9 years |
| 3.5.10 | MIT | 4 | 2016-05-15 - 15:14 | about 9 years |
| 3.5.9 | MIT | 4 | 2016-05-03 - 02:47 | about 9 years |
| 3.5.8 | MIT | 4 | 2016-04-25 - 19:58 | about 9 years |
| 3.5.7 | MIT | 4 | 2016-04-18 - 14:59 | about 9 years |
| 3.5.6 | MIT | 4 | 2016-02-01 - 11:10 | over 9 years |
| 3.5.5 | MIT | 4 | 2016-01-22 - 19:23 | over 9 years |
| 3.5.4 | MIT | 4 | 2016-01-18 - 14:12 | over 9 years |
| 3.5.3 | MIT | 6 | 2015-12-10 - 16:37 | over 9 years |
| 3.5.2 | MIT | 6 | 2015-08-10 - 12:47 | almost 10 years |
| 3.5.1 | MIT | 6 | 2015-05-26 - 13:26 | about 10 years |
| 3.4.1 | MIT | 6 | 2014-10-29 - 14:59 | over 10 years |
| 3.4.0 | MIT | 6 | 2014-10-03 - 17:28 | almost 11 years |
| 3.3.0 | MIT | 6 | 2014-08-13 - 16:42 | almost 11 years |
| 3.2.4 | MIT | 6 | 2014-03-17 - 14:16 | over 11 years |
| 3.2.3 | MIT | 6 | 2014-02-20 - 18:33 | over 11 years |
| 3.2.2 | MIT | 6 | 2013-11-25 - 11:00 | over 11 years |
| 3.2.1 | MIT | 6 | 2013-11-13 - 13:25 | over 11 years |
| 3.2.0 | MIT | 6 | 2013-11-06 - 20:51 | over 11 years |
| 3.1.2 | MIT | 6 | 2013-11-13 - 13:24 | over 11 years |
| 3.1.1 | MIT | 6 | 2013-10-01 - 15:51 | almost 12 years |