CVE-2024-0227

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Devise-Two-Factor (affected versions not specified)

Description The issue concerns Devise-Two-Factor not throttling or restricting login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks. If a user's username and password have already been compromised, an attacker could try possible TOTP codes to log in as that user without the user's knowledge.

Recommendations To mitigate this threat, consider the following:

Implement the lockable strategy from Devise to lock a user after a certain number of failed login attempts.
Configure a rate limit for your application, especially on the login endpoints.
Display generic error messages for authentication errors, hiding whether the failure was due to a username/password combination or a two-factor code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

CVE-2024-0227

GHSA-CHCR-X7HC-8FP8

Affected Products

Devise-Two-Factor

CVE-2024-0227

Weakness Enumeration

Related Identifiers

Affected Products

References · 10