Ruby/devise/3.2.4

Flexible authentication solution for Rails with Warden

Repo Link: https://rubygems.org/gems/devise
License: MIT

6 Security Vulnerabilities

devise Time-of-check Time-of-use Race Condition vulnerability

Published date: 2019-03-19T18:03:25Z

CVE: CVE-2019-5421

Links:

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

Affected versions: ["4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.8", "3.5.7", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.3", "3.2.2", "3.2.1", "3.2.0", "3.1.2", "3.1.1", "3.1.0", "3.1.0.rc2", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.4", "2.1.3", "2.1.2", "2.1.0", "2.1.0.rc2", "2.1.0.rc", "2.0.6", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "2.0.0.rc", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.7", "1.4.5", "1.4.3", "1.4.2", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.2.rc2", "1.2.rc", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.1.rc2", "1.1.rc1", "1.1.rc0", "1.1.pre4", "1.1.pre3", "1.1.pre2", "1.1.pre", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.0", "0.2.3", "0.2.2", "0.2.1", "0.2.0", "0.1.1", "0.1.0"]

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie

Published date: 2023-01-26T23:54:07Z

CVE: CVE-2015-8314

Links:

Devise version before 3.5.4 uses cookies to implement a Remember me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

Affected versions: ["3.5.3", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.3", "3.2.2", "3.2.1", "3.2.0", "3.1.2", "3.1.1", "3.1.0", "3.1.0.rc2", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.4", "2.1.3", "2.1.2", "2.1.0", "2.1.0.rc2", "2.1.0.rc", "2.0.6", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "2.0.0.rc", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.7", "1.4.5", "1.4.3", "1.4.2", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.2.rc2", "1.2.rc", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.1.rc2", "1.1.rc1", "1.1.rc0", "1.1.pre4", "1.1.pre3", "1.1.pre2", "1.1.pre", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.0", "0.2.3", "0.2.2", "0.2.1", "0.2.0", "0.1.1", "0.1.0"]

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

Authentication Bypass in Devise

Published date: 2019-09-11T23:06:57Z

CVE: CVE-2019-16109

Links:

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)

Affected versions: ["4.7.0", "4.6.2", "4.6.1", "4.6.0", "4.5.0", "4.4.3", "4.4.2", "4.4.1", "4.4.0", "4.3.0", "4.2.1", "4.2.0", "4.1.1", "4.1.0", "4.0.3", "4.0.2", "4.0.1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "3.5.10", "3.5.9", "3.5.8", "3.5.7", "3.5.6", "3.5.5", "3.5.4", "3.5.3", "3.5.2", "3.5.1", "3.4.1", "3.4.0", "3.3.0", "3.2.4", "3.2.3", "3.2.2", "3.2.1", "3.2.0", "3.1.2", "3.1.1", "3.1.0", "3.1.0.rc2", "3.0.4", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc", "2.2.8", "2.2.7", "2.2.6", "2.2.5", "2.2.4", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.2.0.rc", "2.1.4", "2.1.3", "2.1.2", "2.1.0", "2.1.0.rc2", "2.1.0.rc", "2.0.6", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "2.0.0.rc2", "2.0.0.rc", "1.5.4", "1.5.3", "1.5.2", "1.5.1", "1.5.0", "1.5.0.rc1", "1.4.9", "1.4.8", "1.4.7", "1.4.5", "1.4.3", "1.4.2", "1.4.1", "1.3.4", "1.3.3", "1.3.2", "1.3.1", "1.3.0", "1.2.1", "1.2.0", "1.2.rc2", "1.2.rc", "1.1.9", "1.1.8", "1.1.7", "1.1.6", "1.1.5", "1.1.4", "1.1.3", "1.1.2", "1.1.1", "1.1.0", "1.1.rc2", "1.1.rc1", "1.1.rc0", "1.1.pre4", "1.1.pre3", "1.1.pre2", "1.1.pre", "1.0.11", "1.0.10", "1.0.9", "1.0.8", "1.0.7", "1.0.6", "1.0.5", "1.0.4", "1.0.3", "1.0.2", "1.0.1", "1.0.0", "0.9.2", "0.9.1", "0.9.0", "0.8.2", "0.8.1", "0.8.0", "0.7.5", "0.7.4", "0.7.3", "0.7.2", "0.7.1", "0.7.0", "0.6.3", "0.6.2", "0.6.1", "0.6.0", "0.5.6", "0.5.5", "0.5.4", "0.5.3", "0.5.2", "0.5.1", "0.5.0", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.0", "0.2.3", "0.2.2", "0.2.1", "0.2.0", "0.1.1", "0.1.0"]

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie

Published date: 2016-01-18

CVE: 2015-8314

CVSS V3: 7.5

Links:

http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

Devise Gem for Ruby confirmation token validation with a blank string

Published date: 2019-09-08

CVE: 2019-16109

CVSS V3: 5.3

Links:

https://github.com/plataformatec/devise/issues/5071

Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist.

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module

Published date: 2019-02-07

CVE: 2019-5421

CVSS V2: 7.5

CVSS V3: 9.8

Links:

https://github.com/plataformatec/devise/issues/4981

Secure versions: [4.7.3, 4.7.2, 4.7.1, 4.8.0, 4.8.1, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4]

Recommendation: Update to version 4.9.4.

167 Other Versions

Version	License	Security	Released
4.9.4	MIT		2024-04-10 - 12:27	9 days
4.9.3	MIT		2023-10-11 - 22:08	6 months
4.9.2	MIT		2023-04-03 - 12:23	about 1 year
4.9.1	MIT		2023-03-31 - 12:39	about 1 year
4.9.0	MIT		2023-02-17 - 14:14	about 1 year
4.8.1	MIT		2021-12-16 - 11:07	over 2 years
4.8.0	MIT		2021-04-29 - 11:52	almost 3 years
4.7.3	MIT		2020-09-21 - 00:21	over 3 years
4.7.2	MIT		2020-06-10 - 18:31	almost 4 years
4.7.1	MIT		2019-09-06 - 18:02	over 4 years
4.7.0	MIT	2	2019-08-19 - 16:47	over 4 years
4.6.2	MIT	2	2019-03-26 - 16:55	about 5 years
4.6.1	MIT	2	2019-02-11 - 15:28	about 5 years
4.6.0	MIT	2	2019-02-07 - 17:41	about 5 years
4.5.0	MIT	4	2018-08-15 - 23:30	over 5 years
4.4.3	MIT	4	2018-03-18 - 00:00	about 6 years
4.4.2	MIT	4	2018-03-15 - 13:50	about 6 years
4.4.1	MIT	4	2018-01-23 - 18:11	about 6 years
4.4.0	MIT	4	2017-12-29 - 19:50	over 6 years
4.3.0	MIT	4	2017-05-15 - 00:12	almost 7 years
4.2.1	MIT	4	2017-03-15 - 15:36	about 7 years
4.2.0	MIT	4	2016-07-01 - 17:45	almost 8 years
4.1.1	MIT	4	2016-05-15 - 15:04	almost 8 years
4.1.0	MIT	4	2016-05-03 - 02:52	almost 8 years
4.0.3	MIT	4	2016-05-15 - 15:08	almost 8 years
4.0.2	MIT	4	2016-05-03 - 02:44	almost 8 years
4.0.1	MIT	4	2016-04-25 - 20:07	almost 8 years
4.0.0	MIT	4	2016-04-18 - 14:53	about 8 years
4.0.0.rc2	MIT	4	2016-03-09 - 14:31	about 8 years
4.0.0.rc1	MIT	4	2016-02-01 - 11:21	about 8 years
3.5.10	MIT	4	2016-05-15 - 15:14	almost 8 years
3.5.9	MIT	4	2016-05-03 - 02:47	almost 8 years
3.5.8	MIT	4	2016-04-25 - 19:58	almost 8 years
3.5.7	MIT	4	2016-04-18 - 14:59	about 8 years
3.5.6	MIT	4	2016-02-01 - 11:10	about 8 years
3.5.5	MIT	4	2016-01-22 - 19:23	about 8 years
3.5.4	MIT	4	2016-01-18 - 14:12	about 8 years
3.5.3	MIT	6	2015-12-10 - 16:37	over 8 years
3.5.2	MIT	6	2015-08-10 - 12:47	over 8 years
3.5.1	MIT	6	2015-05-26 - 13:26	almost 9 years
3.4.1	MIT	6	2014-10-29 - 14:59	over 9 years
3.4.0	MIT	6	2014-10-03 - 17:28	over 9 years
3.3.0	MIT	6	2014-08-13 - 16:42	over 9 years
3.2.4	MIT	6	2014-03-17 - 14:16	about 10 years
3.2.3	MIT	6	2014-02-20 - 18:33	about 10 years
3.2.2	MIT	6	2013-11-25 - 11:00	over 10 years
3.2.1	MIT	6	2013-11-13 - 13:25	over 10 years
3.2.0	MIT	6	2013-11-06 - 20:51	over 10 years
3.1.2	MIT	6	2013-11-13 - 13:24	over 10 years
3.1.1	MIT	6	2013-10-01 - 15:51	over 10 years
3.1.0	MIT	6	2013-09-05 - 22:50	over 10 years
3.1.0.rc2	MIT	6	2013-08-18 - 08:18	over 10 years
3.0.4	MIT	6	2013-11-13 - 13:24	over 10 years
3.0.3	MIT	6	2013-08-18 - 08:26	over 10 years
3.0.2	MIT	6	2013-08-09 - 08:24	over 10 years
3.0.1	MIT	6	2013-08-02 - 21:25	over 10 years
3.0.0	MIT	7	2013-07-14 - 18:48	almost 11 years
3.0.0.rc	MIT	7	2013-05-07 - 16:35	almost 11 years
2.2.8	MIT	6	2013-11-13 - 13:24	over 10 years
2.2.7	MIT	6	2013-08-18 - 08:29	over 10 years
2.2.6	MIT	6	2013-08-09 - 08:32	over 10 years
2.2.5	MIT	6	2013-08-02 - 21:24	over 10 years
2.2.4	MIT	6	2013-05-07 - 15:54	almost 11 years
2.2.3	UNKNOWN	6	2013-01-28 - 14:49	about 11 years
2.2.2	UNKNOWN	8	2013-01-15 - 20:03	over 11 years
2.2.1	UNKNOWN	8	2013-01-11 - 18:16	over 11 years
2.2.0	UNKNOWN	8	2013-01-08 - 20:31	over 11 years
2.2.0.rc	UNKNOWN	7	2012-12-13 - 09:05	over 11 years
2.1.4	UNKNOWN	7	2013-08-18 - 08:38	over 10 years
2.1.3	UNKNOWN	7	2013-01-28 - 14:49	about 11 years
2.1.2	UNKNOWN	8	2012-06-19 - 09:27	almost 12 years
2.1.0	UNKNOWN	8	2012-05-15 - 17:16	almost 12 years
2.1.0.rc2	UNKNOWN	7	2012-05-09 - 22:54	almost 12 years
2.1.0.rc	UNKNOWN	7	2012-03-15 - 14:19	about 12 years
2.0.6	UNKNOWN	7	2013-08-18 - 08:44	over 10 years
2.0.5	UNKNOWN	7	2013-01-28 - 14:49	about 11 years
2.0.4	UNKNOWN	8	2012-02-17 - 08:32	about 12 years
2.0.2	UNKNOWN	8	2012-02-15 - 16:26	about 12 years
2.0.1	UNKNOWN	8	2012-02-09 - 10:15	about 12 years
2.0.0	UNKNOWN	8	2012-01-26 - 19:45	about 12 years
2.0.0.rc2	UNKNOWN	7	2012-01-24 - 13:29	about 12 years
2.0.0.rc	UNKNOWN	7	2011-12-19 - 12:36	over 12 years
1.5.4	UNKNOWN	7	2013-01-28 - 14:49	about 11 years
1.5.3	UNKNOWN	8	2011-12-19 - 11:57	over 12 years
1.5.2	UNKNOWN	8	2011-11-30 - 09:26	over 12 years
1.5.1	UNKNOWN	8	2011-11-22 - 15:13	over 12 years
1.5.0	UNKNOWN	8	2011-11-13 - 21:23	over 12 years
1.5.0.rc1	UNKNOWN	7	2011-11-10 - 21:27	over 12 years
1.4.9	UNKNOWN	8	2011-10-20 - 14:50	over 12 years
1.4.8	UNKNOWN	8	2011-10-10 - 12:44	over 12 years
1.4.7	UNKNOWN	8	2011-09-22 - 09:51	over 12 years
1.4.5	UNKNOWN	8	2011-09-08 - 21:54	over 12 years
1.4.3	UNKNOWN	8	2011-08-30 - 12:43	over 12 years
1.4.2	UNKNOWN	8	2011-06-30 - 18:20	almost 13 years
1.4.1	UNKNOWN	8	2011-06-29 - 23:30	almost 13 years
1.3.4	UNKNOWN	8	2011-04-29 - 12:16	almost 13 years
1.3.3	UNKNOWN	8	2011-04-21 - 17:19	almost 13 years
1.3.2	UNKNOWN	8	2011-04-21 - 12:00	almost 13 years
1.3.1	UNKNOWN	8	2011-04-19 - 08:40	about 13 years
1.3.0	UNKNOWN	8	2011-04-16 - 11:32	about 13 years