GHSA-x489-jjwm-52g7

Source

https://github.com/advisories/GHSA-x489-jjwm-52g7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-x489-jjwm-52g7/GHSA-x489-jjwm-52g7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x489-jjwm-52g7

Aliases

CVE-2015-7225

Published

2018-08-28T22:34:15Z

Modified

2024-12-08T05:44:02.146290Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)

Details

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 § 5.2 and does not "burn" a successfully validated one-time password (aka OTP), which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or "shoulder surfing", and replaying the OTP in the current time-step.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T22:02:02Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": []
}

References

Affected packages

RubyGems / devise-two-factor

Package

Name: devise-two-factor
Purl: pkg:gem/devise-two-factor

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.1.0