GHSA-x489-jjwm-52g7

Suggest an improvement
Source
https://github.com/advisories/GHSA-x489-jjwm-52g7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-x489-jjwm-52g7/GHSA-x489-jjwm-52g7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x489-jjwm-52g7
Aliases
  • CVE-2015-7225
Published
2018-08-28T22:34:15Z
Modified
2024-02-22T05:26:17.130877Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)
Details

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 ยง 5.2 and does not "burn" a successfully validated one-time password (aka OTP), which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or "shoulder surfing", and replaying the OTP in the current time-step.

References

Affected packages

RubyGems / devise-two-factor

Package

Name
devise-two-factor
Purl
pkg:gem/devise-two-factor

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.1.0