devise Time-of-check Time-of-use Race Condition vulnerability

GHSA-73rf-6mrf-759q · CVE-2019-5421

Published Mar 19, 2019 · Modified Nov 30, 2024

Description

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-5421
WEB https://github.com/plataformatec/devise/issues/4981
WEB https://github.com/plataformatec/devise/pull/4996
PACKAGE https://github.com/plataformatec/devise

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes