cvelistv5 - CVE-2024-0227

CVE-2024-0227 (GCVE-0-2024-0227)

Vulnerability from cvelistv5 – Published: 2024-01-11 19:35 – Updated: 2024-03-18 13:52

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2024-03-18T13:52:20.268Z",
        "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "shortName": "SNPS"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
    "assignerShortName": "SNPS",
    "cveId": "CVE-2024-0227",
    "datePublished": "2024-01-11T19:35:51.821Z",
    "dateRejected": "2024-03-18T13:52:20.268Z",
    "dateReserved": "2024-01-03T19:26:01.368Z",
    "dateUpdated": "2024-03-18T13:52:20.268Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.0",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}]",
      "id": "CVE-2024-0227",
      "lastModified": "2024-03-18T14:15:07.283",
      "published": "2024-01-11T20:15:44.003",
      "sourceIdentifier": "disclosure@synopsys.com",
      "vulnStatus": "Rejected"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-0227\",\"sourceIdentifier\":\"disclosure@synopsys.com\",\"published\":\"2024-01-11T20:15:44.003\",\"lastModified\":\"2024-03-18T14:15:07.283\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.\"}],\"metrics\":{},\"references\":[]}}"
  }
}

GSD-2024-0227

Vulnerability from gsd - Updated: 2024-01-04 06:02

Details

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks.

Aliases

CVE-2024-0227

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-0227"
      ],
      "details": "\nDevise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm\u0027s (TOTP) inherent entropy limitations, it\u0027s possible for an attacker to bypass the 2FA mechanism through brute-force attacks.\n\n",
      "id": "GSD-2024-0227",
      "modified": "2024-01-04T06:02:15.966605Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "disclosure@synopsys.com",
        "ID": "CVE-2024-0227",
        "STATE": "REJECT"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
          }
        ],
        "id": "CVE-2024-0227",
        "lastModified": "2024-03-18T14:15:07.283",
        "metrics": {},
        "published": "2024-01-11T20:15:44.003",
        "references": [],
        "sourceIdentifier": "disclosure@synopsys.com",
        "vulnStatus": "Rejected"
      }
    }
  }
}

FKIE_CVE-2024-0227

Vulnerability from fkie_nvd - Published: 2024-01-11 20:15 - Updated: 2024-03-18 14:15

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
    }
  ],
  "id": "CVE-2024-0227",
  "lastModified": "2024-03-18T14:15:07.283",
  "metrics": {},
  "published": "2024-01-11T20:15:44.003",
  "references": [],
  "sourceIdentifier": "disclosure@synopsys.com",
  "vulnStatus": "Rejected"
}

GHSA-CHCR-X7HC-8FP8

Vulnerability from github – Published: 2024-01-12 15:13 – Updated: 2024-03-20 15:34

Summary

Devise-Two-Factor vulnerable to brute force attacks

Details

Advisory withdrawn

The backing CVE has been rejected

Impact

If a user's username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised.

Patches

Devise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It's recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below.

Mitigations

Use the lockable strategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information.
Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is rack-attack.
When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message.

Acknowledgements

Christian Reitter (Radically Open Security) and Chris MacNaughton (Centauri Solutions)

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "devise-two-factor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-0227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T15:13:05Z",
    "nvd_published_at": "2024-01-11T20:15:44Z",
    "severity": "MODERATE"
  },
  "details": "### Advisory withdrawn\nThe backing CVE has been rejected\n\nDevise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm\u0027s (TOTP) inherent entropy limitations, it\u0027s possible for an attacker to bypass the 2FA mechanism through brute-force attacks.\n\n### Impact\n\nIf a user\u0027s username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in as that user. The user under attack would not necessarily know that their account has been compromised.\n\n### Patches\n\nDevise-Two-Factor has not released any fixes for this vulnerability. This library is open-ended by design and cannot solve this for all applications natively. It\u0027s recommended that any application leveraging Devise-Two-Factor implement controls at the application level to mitigate this threat. A non-exhaustive list of possible mitigations can be found below.\n\n#### Mitigations\n\n1. Use the `lockable` strategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information.\n2. Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is [rack-attack](https://rubygems.org/gems/rack-attack).\n3. When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message.\n\n### Acknowledgements\n\nChristian Reitter ([Radically Open Security](https://www.radicallyopensecurity.com/)) and Chris MacNaughton ([Centauri Solutions](https://centauri.solutions))",
  "id": "GHSA-chcr-x7hc-8fp8",
  "modified": "2024-03-20T15:34:05Z",
  "published": "2024-01-12T15:13:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-chcr-x7hc-8fp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0227"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devise-two-factor/devise-two-factor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2024-0227.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Devise-Two-Factor vulnerable to brute force attacks",
  "withdrawn": "2024-03-19T22:33:55Z"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-0227 (GCVE-0-2024-0227)

GSD-2024-0227

FKIE_CVE-2024-0227

GHSA-CHCR-X7HC-8FP8

Advisory withdrawn

Impact

Patches

Mitigations

Acknowledgements

Tags

Sightings

Nomenclature