PT-2019-17654 · Plataformatec · Devise

Ouranos

Published

2019-03-19

Updated

2020-10-16

CVE-2019-5421

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Plataformatec Devise versions 4.5.0 and earlier

Description The issue is related to a time-of-check time-of-use (TOCTOU) race condition in the Devise::Models::Lockable class, specifically at the #increment failed attempts method. This can result in multiple concurrent requests preventing an attacker from being blocked on brute force attacks, making it exploitable via network connectivity. The estimated number of potentially affected devices is not specified.

Recommendations For Plataformatec Devise versions 4.5.0 and earlier, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider disabling the lockable module or restricting access to the Devise::Models::Lockable class until a patch is available.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307CWE-367

Related Identifiers

CVE-2019-5421

GHSA-73RF-6MRF-759Q

Affected Products

Devise

PT-2019-17654 · Plataformatec · Devise

CVE-2019-5421

Weakness Enumeration

Related Identifiers

Affected Products

References · 11