GHSA-fcjw-8rhj-gwwc

Suggest an improvement
Source
https://github.com/advisories/GHSA-fcjw-8rhj-gwwc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-fcjw-8rhj-gwwc/GHSA-fcjw-8rhj-gwwc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fcjw-8rhj-gwwc
Aliases
Published
2019-09-11T23:06:57Z
Modified
2024-02-16T08:15:01.119563Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Authentication Bypass in Devise
Details

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. (However, there is no scenario within Devise itself in which such database records would exist.)

Database specific
{
    "github_reviewed_at": "2019-09-11T22:42:42Z",
    "severity": "MODERATE",
    "nvd_published_at": "2019-09-08T20:15:10Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ]
}
References

Affected packages

RubyGems / devise

Package

Name
devise
Purl
pkg:gem/devise

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.7.1

Affected versions

0.*

0.1.0
0.1.1
0.2.0
0.2.1
0.2.2
0.2.3
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.1.pre
1.1.pre2
1.1.pre3
1.1.pre4
1.1.rc0
1.1.rc1
1.1.rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.rc
1.2.rc2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.1
1.4.2
1.4.3
1.4.5
1.4.7
1.4.8
1.4.9
1.5.0.rc1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4

2.*

2.0.0.rc
2.0.0.rc2
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0.rc
2.1.0.rc2
2.1.0
2.1.2
2.1.3
2.1.4
2.2.0.rc
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8

3.*

3.0.0.rc
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0.rc2
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.4.0
3.4.1
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10

4.*

4.0.0.rc1
4.0.0.rc2
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.6.0
4.6.1
4.6.2
4.7.0