Ruby/devise/4.2.1
Flexible authentication solution for Rails with Warden
https://rubygems.org/gems/devise
MIT
4 Security Vulnerabilities
devise Time-of-check Time-of-use Race Condition vulnerability
Published date: 2019-03-19T18:03:25Z
CVE: CVE-2019-5421
Links:
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Authentication Bypass in Devise
Published date: 2019-09-11T23:06:57Z
CVE: CVE-2019-16109
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16109
- https://github.com/advisories/GHSA-fcjw-8rhj-gwwc
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
- https://github.com/plataformatec/devise/issues/5071
- https://github.com/plataformatec/devise/pull/5132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2019-16109.yml
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby confirmation token validation with a blank string
Published date: 2019-09-08
CVE: 2019-16109
CVSS V3: 5.3
Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist.
Affected versions:
["4.7.0", "4.6.2", "4.6.0", "4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.6.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Published date: 2019-02-07
CVE: 2019-5421
CVSS V2: 7.5
CVSS V3: 9.8
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.
Affected versions:
["4.1.0", "4.0.3", "4.0.1", "4.0.0", "3.5.8", "3.5.7", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.0", "3.1.2", "3.1.0.rc2", "3.0.4", "3.0.2", "2.2.8", "2.2.6", "2.2.5", "2.2.4", "2.2.2", "2.1.4", "2.1.2", "2.1.0", "2.1.0.rc", "2.0.5", "2.0.0.rc", "1.5.4", "1.5.2", "1.5.1", "1.5.0", "1.4.7", "1.4.2", "1.2.0", "1.2.rc", "1.1.8", "1.1.7", "1.1.3", "1.1.2", "1.1.0", "1.1.rc2", "1.1.pre4", "1.1.pre3", "1.1.pre", "1.0.11", "1.0.9", "1.0.8", "1.0.7", "1.0.4", "1.0.3", "1.0.2", "1.0.0", "0.9.2", "0.9.0", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.0", "0.6.3", "0.6.2", "0.6.0", "0.5.6", "0.5.4", "0.5.3", "0.5.1", "0.4.3", "0.4.2", "0.3.0", "0.2.3", "0.2.1", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.0.2", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.2.3", "3.2.2", "3.2.1", "3.1.1", "3.1.0", "3.0.3", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.7", "2.2.3", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.3", "2.1.0.rc2", "2.0.6", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "1.5.3", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.5", "1.4.3", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.rc2", "1.1.9", "1.1.6", "1.1.5", "1.1.4", "1.1.1", "1.1.rc1", "1.1.rc0", "1.1.pre2", "1.0.10", "1.0.6", "1.0.5", "1.0.1", "0.9.1", "0.8.2", "0.7.1", "0.6.1", "0.5.5", "0.5.2", "0.5.0", "0.4.1", "0.4.0", "0.2.2", "0.2.0", "0.1.1", "0.1.0"]
Secure versions:
[4.7.1, 4.7.2, 4.7.3, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]
Recommendation:
Update to version 4.9.4.
167 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.1.0 | MIT | 6 | 2013-09-05 - 22:50 | almost 12 years |
| 3.1.0.rc2 | MIT | 6 | 2013-08-18 - 08:18 | almost 12 years |
| 3.0.4 | MIT | 6 | 2013-11-13 - 13:24 | over 11 years |
| 3.0.3 | MIT | 6 | 2013-08-18 - 08:26 | almost 12 years |
| 3.0.2 | MIT | 6 | 2013-08-09 - 08:24 | almost 12 years |
| 3.0.1 | MIT | 6 | 2013-08-02 - 21:25 | almost 12 years |
| 3.0.0 | MIT | 7 | 2013-07-14 - 18:48 | almost 12 years |
| 3.0.0.rc | MIT | 7 | 2013-05-07 - 16:35 | about 12 years |
| 2.2.8 | MIT | 6 | 2013-11-13 - 13:24 | over 11 years |
| 2.2.7 | MIT | 6 | 2013-08-18 - 08:29 | almost 12 years |
| 2.2.6 | MIT | 6 | 2013-08-09 - 08:32 | almost 12 years |
| 2.2.5 | MIT | 6 | 2013-08-02 - 21:24 | almost 12 years |
| 2.2.4 | MIT | 6 | 2013-05-07 - 15:54 | about 12 years |
| 2.2.3 | UNKNOWN | 6 | 2013-01-28 - 14:49 | over 12 years |
| 2.2.2 | UNKNOWN | 8 | 2013-01-15 - 20:03 | over 12 years |
| 2.2.1 | UNKNOWN | 8 | 2013-01-11 - 18:16 | over 12 years |
| 2.2.0 | UNKNOWN | 8 | 2013-01-08 - 20:31 | over 12 years |
| 2.2.0.rc | UNKNOWN | 7 | 2012-12-13 - 09:05 | over 12 years |
| 2.1.4 | UNKNOWN | 7 | 2013-08-18 - 08:38 | almost 12 years |
| 2.1.3 | UNKNOWN | 7 | 2013-01-28 - 14:49 | over 12 years |
| 2.1.2 | UNKNOWN | 8 | 2012-06-19 - 09:27 | about 13 years |
| 2.1.0 | UNKNOWN | 8 | 2012-05-15 - 17:16 | about 13 years |
| 2.1.0.rc2 | UNKNOWN | 7 | 2012-05-09 - 22:54 | about 13 years |
| 2.1.0.rc | UNKNOWN | 7 | 2012-03-15 - 14:19 | over 13 years |
| 2.0.6 | UNKNOWN | 7 | 2013-08-18 - 08:44 | almost 12 years |
| 2.0.5 | UNKNOWN | 7 | 2013-01-28 - 14:49 | over 12 years |
| 2.0.4 | UNKNOWN | 8 | 2012-02-17 - 08:32 | over 13 years |
| 2.0.2 | UNKNOWN | 8 | 2012-02-15 - 16:26 | over 13 years |
| 2.0.1 | UNKNOWN | 8 | 2012-02-09 - 10:15 | over 13 years |
| 2.0.0 | UNKNOWN | 8 | 2012-01-26 - 19:45 | over 13 years |
| 2.0.0.rc2 | UNKNOWN | 7 | 2012-01-24 - 13:29 | over 13 years |
| 2.0.0.rc | UNKNOWN | 7 | 2011-12-19 - 12:36 | over 13 years |
| 1.5.4 | UNKNOWN | 7 | 2013-01-28 - 14:49 | over 12 years |
| 1.5.3 | UNKNOWN | 8 | 2011-12-19 - 11:57 | over 13 years |
| 1.5.2 | UNKNOWN | 8 | 2011-11-30 - 09:26 | over 13 years |
| 1.5.1 | UNKNOWN | 8 | 2011-11-22 - 15:13 | over 13 years |
| 1.5.0 | UNKNOWN | 8 | 2011-11-13 - 21:23 | over 13 years |
| 1.5.0.rc1 | UNKNOWN | 7 | 2011-11-10 - 21:27 | over 13 years |
| 1.4.9 | UNKNOWN | 8 | 2011-10-20 - 14:50 | over 13 years |
| 1.4.8 | UNKNOWN | 8 | 2011-10-10 - 12:44 | over 13 years |
| 1.4.7 | UNKNOWN | 8 | 2011-09-22 - 09:51 | almost 14 years |
| 1.4.5 | UNKNOWN | 8 | 2011-09-08 - 21:54 | almost 14 years |
| 1.4.3 | UNKNOWN | 8 | 2011-08-30 - 12:43 | almost 14 years |
| 1.4.2 | UNKNOWN | 8 | 2011-06-30 - 18:20 | about 14 years |
| 1.4.1 | UNKNOWN | 8 | 2011-06-29 - 23:30 | about 14 years |
| 1.3.4 | UNKNOWN | 8 | 2011-04-29 - 12:16 | about 14 years |
| 1.3.3 | UNKNOWN | 8 | 2011-04-21 - 17:19 | about 14 years |
| 1.3.2 | UNKNOWN | 8 | 2011-04-21 - 12:00 | about 14 years |
| 1.3.1 | UNKNOWN | 8 | 2011-04-19 - 08:40 | about 14 years |
| 1.3.0 | UNKNOWN | 8 | 2011-04-16 - 11:32 | about 14 years |