Improper one time password handling in devise-two-factor

GHSA-jm35-h8q2-73mp · CVE-2021-43177

Published Apr 7, 2022 · Modified Mar 13, 2026

Description

Impact

As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval.

Patches

This vulnerability has been patched in version 4.0.2 which was released on March 24th, 2022. Individuals using this package are strongly encouraged to upgrade as soon as possible.

Credit for discovery

Benoit Côté-Jodoin
Michael Nipper - https://github.com/tinfoil/devise-two-factor/issues/106

References

WEB https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-43177
WEB https://github.com/tinfoil/devise-two-factor/issues/106
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2021-43177.yml
PACKAGE https://github.com/tinfoil/devise-two-factor

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes