CVE-2019-5421

Name of the Vulnerable Software and Affected Versions Plataformatec Devise versions 4.5.0 and earlier

Description The issue is related to a time-of-check time-of-use (TOCTOU) race condition in the Devise::Models::Lockable class, specifically at the #increment failed attempts method. This can result in multiple concurrent requests preventing an attacker from being blocked on brute force attacks, making it exploitable via network connectivity. The estimated number of potentially affected devices is not specified.

Recommendations For Plataformatec Devise versions 4.5.0 and earlier, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the lockable module or restricting access to the Devise::Models::Lockable class until a patch is available.