Ouranos

**Name of the Vulnerable Software and Affected Versions** Plataformatec Devise versions 4.5.0 and earlier **Description** The issue is related to a time-of-check time-of-use (TOCTOU) race condition in the `Devise::Models::Lockable` class, specifically at the `#increment failed attempts` method. This can result in multiple concurrent requests preventing an attacker from being blocked on brute force attacks, making it exploitable via network connectivity. The estimated number of potentially affected devices is not specified. **Recommendations** For Plataformatec Devise versions 4.5.0 and earlier, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the `lockable` module or restricting access to the `Devise::Models::Lockable` class until a patch is available.