Authentication Bypass in Devise

GHSA-fcjw-8rhj-gwwc · CVE-2019-16109

Published Sep 11, 2019 · Modified Feb 16, 2024

Description

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-16109
WEB https://github.com/plataformatec/devise/issues/5071
WEB https://github.com/plataformatec/devise/pull/5132
PACKAGE https://github.com/plataformatec/devise
WEB https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2019-16109.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes