CVE-2015-8314

Name of the Vulnerable Software and Affected Versions Devise versions prior to 3.5.4

Description The issue concerns the mishandling of Remember Me cookies for sessions, potentially allowing an adversary to gain unauthorized persistent application access. Specifically, the Devise gem generates the same cookie for all devices, which can be exploited if an attacker steals a remember me cookie and the user does not change the password frequently, allowing the cookie to be used to gain access to the application indefinitely.

Recommendations For Devise versions prior to 3.5.4, update to version 3.5.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Remember Me functionality until a patch is available. Additionally, users should be advised to change their passwords frequently to minimize the risk of exploitation.