GHSA-746g-3gfp-hfhw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-746g-3gfp-hfhw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-746g-3gfp-hfhw/GHSA-746g-3gfp-hfhw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-746g-3gfp-hfhw
- Aliases
- Published
- 2023-01-26T23:54:07Z
- Modified
- 2024-02-16T08:13:56.118671Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
- Details
-
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
- Database specific
{ "nvd_published_at": "2023-12-12T17:15:07Z", "cwe_ids": [ "CWE-288", "CWE-312" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-01-26T23:54:07Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-8314
- https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24
- https://github.com/advisories/GHSA-746g-3gfp-hfhw
- https://github.com/heartcombo/devise
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2015-8314.yml
- https://rubysec.com/advisories/CVE-2015-8314
- http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise
Affected packages
RubyGems / devise
Package
- Name
- devise
- Purl
- pkg:gem/devise
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.5.4
Affected versions
0.*
0.1.0
0.1.1
0.2.0
0.2.1
0.2.2
0.2.3
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.1.pre
1.1.pre2
1.1.pre3
1.1.pre4
1.1.rc0
1.1.rc1
1.1.rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.rc
1.2.rc2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.1
1.4.2
1.4.3
1.4.5
1.4.7
1.4.8
1.4.9
1.5.0.rc1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
2.*
2.0.0.rc
2.0.0.rc2
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0.rc
2.1.0.rc2
2.1.0
2.1.2
2.1.3
2.1.4
2.2.0.rc
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
3.*
3.0.0.rc
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0.rc2
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.4.0
3.4.1
3.5.1
3.5.2
3.5.3