Search criteria
4 vulnerabilities by tinfoilsecurity
CVE-2024-8796 (GCVE-0-2024-8796)
Vulnerability from cvelistv5 – Published: 2024-09-17 17:12 – Updated: 2024-09-20 19:43
VLAI?
Summary
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
Severity ?
CWE
- CWE-331 - Insufficient Entropy
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| devise-two-factor | devise-two-factor |
Affected:
4.0.0 , < 6.0.0
(custom)
Affected: 1.0.0 (custom) |
Credits
Mark Adams
Garrett Rappaport
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T14:00:40.365192Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T14:00:50.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "devise-two-factor",
"product": "devise-two-factor",
"vendor": "devise-two-factor",
"versions": [
{
"lessThan": "6.0.0",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "analyst",
"value": "Mark Adams"
},
{
"lang": "en",
"type": "finder",
"value": "Garrett Rappaport"
}
],
"datePublic": "2024-09-17T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Under the default configuration, Devise-Two-Factor versions \u0026gt;= 2.2.0 \u0026amp; \u0026lt; 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes."
}
],
"value": "Under the default configuration, Devise-Two-Factor versions \u003e= 2.2.0 \u0026 \u003c 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes."
}
],
"impacts": [
{
"capecId": "CAPEC-59",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-59 Session Credential Falsification through Prediction"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-20T19:43:21.263Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "SNPS"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\u003cbr\u003e\u003cbr\u003eAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\n\nAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP."
}
],
"source": {
"discovery": "USER"
},
"title": "Insufficient Default OTP Shared Secret Length",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long.\u003cbr\u003e"
}
],
"value": "If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "SNPS",
"cveId": "CVE-2024-8796",
"datePublished": "2024-09-17T17:12:13.468Z",
"dateReserved": "2024-09-13T16:52:10.095Z",
"dateUpdated": "2024-09-20T19:43:21.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0227 (GCVE-0-2024-0227)
Vulnerability from cvelistv5 – Published: 2024-01-11 19:35 – Updated: 2024-03-18 13:52
VLAI?
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2024-03-18T13:52:20.268Z",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "SNPS"
},
"rejectedReasons": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "SNPS",
"cveId": "CVE-2024-0227",
"datePublished": "2024-01-11T19:35:51.821Z",
"dateRejected": "2024-03-18T13:52:20.268Z",
"dateReserved": "2024-01-03T19:26:01.368Z",
"dateUpdated": "2024-03-18T13:52:20.268Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}
CVE-2021-43177 (GCVE-0-2021-43177)
Vulnerability from cvelistv5 – Published: 2022-04-11 19:37 – Updated: 2024-08-04 03:47
VLAI?
Summary
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Severity ?
No CVSS data available.
CWE
- CWE-254 - 7PK - Security Features
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tinfoil | devise-two-factor |
Affected:
< 4.0.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:47:13.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "devise-two-factor",
"vendor": "Tinfoil",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-254",
"description": "CWE-254: 7PK - Security Features",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-11T19:37:40",
"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"shortName": "SNPS"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclosure@synopsys.com",
"ID": "CVE-2021-43177",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "devise-two-factor",
"version": {
"version_data": [
{
"version_value": "\u003c 4.0.2"
}
]
}
}
]
},
"vendor_name": "Tinfoil"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-254: 7PK - Security Features"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp",
"refsource": "MISC",
"url": "https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
"assignerShortName": "SNPS",
"cveId": "CVE-2021-43177",
"datePublished": "2022-04-11T19:37:40",
"dateReserved": "2021-11-01T00:00:00",
"dateUpdated": "2024-08-04T03:47:13.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7225 (GCVE-0-2015-7225)
Vulnerability from cvelistv5 – Published: 2017-09-06 21:00 – Updated: 2024-08-06 07:43
VLAI?
Summary
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:43:45.764Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md"
},
{
"name": "[oss-security] 20150917 Re: CVE Request: TOTP Replay Attack in Ruby library",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/17/2"
},
{
"name": "[oss-sercurity] 20150620 CVE Request: MITM \u0026 Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library \"ROPT\"",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/06/20/4"
},
{
"name": "76789",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76789"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not \"burn\" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user\u0027s login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-06T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md"
},
{
"name": "[oss-security] 20150917 Re: CVE Request: TOTP Replay Attack in Ruby library",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/09/17/2"
},
{
"name": "[oss-sercurity] 20150620 CVE Request: MITM \u0026 Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library \"ROPT\"",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/06/20/4"
},
{
"name": "76789",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76789"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not \"burn\" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user\u0027s login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md",
"refsource": "CONFIRM",
"url": "https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md"
},
{
"name": "[oss-security] 20150917 Re: CVE Request: TOTP Replay Attack in Ruby library",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/09/17/2"
},
{
"name": "[oss-sercurity] 20150620 CVE Request: MITM \u0026 Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library \"ROPT\"",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/06/20/4"
},
{
"name": "76789",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76789"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466"
},
{
"name": "https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608",
"refsource": "CONFIRM",
"url": "https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7225",
"datePublished": "2017-09-06T21:00:00",
"dateReserved": "2015-09-17T00:00:00",
"dateUpdated": "2024-08-06T07:43:45.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}