CVE-2024-8796 (GCVE-0-2024-8796)

Vulnerability from cvelistv5 – Published: 2024-09-17 17:12 – Updated: 2024-09-20 19:43
VLAI?
Summary
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
Severity ?
6 (Medium)
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
devise-two-factor devise-two-factor Affected: 4.0.0 , < 6.0.0 (custom)
Affected: 1.0.0 (custom)
Create a notification for this product.
Credits
Mark Adams Garrett Rappaport
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-18T14:00:40.365192Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-18T14:00:50.568Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "devise-two-factor",
          "product": "devise-two-factor",
          "vendor": "devise-two-factor",
          "versions": [
            {
              "lessThan": "6.0.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "Mark Adams"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Garrett Rappaport"
        }
      ],
      "datePublic": "2024-09-17T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Under the default configuration, Devise-Two-Factor versions \u0026gt;= 2.2.0 \u0026amp; \u0026lt; 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes."
            }
          ],
          "value": "Under the default configuration, Devise-Two-Factor versions \u003e= 2.2.0 \u0026 \u003c 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-59",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-59 Session Credential Falsification through Prediction"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-331",
              "description": "CWE-331 Insufficient Entropy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-20T19:43:21.263Z",
        "orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
        "shortName": "SNPS"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\u003cbr\u003e\u003cbr\u003eAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\n\nAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP."
        }
      ],
      "source": {
        "discovery": "USER"
      },
      "title": "Insufficient Default OTP Shared Secret Length",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long.\u003cbr\u003e"
            }
          ],
          "value": "If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b",
    "assignerShortName": "SNPS",
    "cveId": "CVE-2024-8796",
    "datePublished": "2024-09-17T17:12:13.468Z",
    "dateReserved": "2024-09-13T16:52:10.095Z",
    "dateUpdated": "2024-09-20T19:43:21.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tinfoilsecurity:devise-two-factor:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.0.0\", \"versionEndExcluding\": \"6.0.0\", \"matchCriteriaId\": \"84888909-8B85-45B8-B57C-A63ABB739A8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tinfoilsecurity:devise-two-factor:1.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6A7C7CE8-1386-4FF1-81AC-8A9A251122BF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Under the default configuration, Devise-Two-Factor versions \u003e= 2.2.0 \u0026 \u003c 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.\"}, {\"lang\": \"es\", \"value\": \"Con la configuraci\\u00f3n predeterminada, las versiones de Devise-Two-Factor \u0026gt;= 2.2.0 y \u0026lt; 6.0.0 generan secretos compartidos TOTP de 120 bits en lugar del m\\u00ednimo de 128 bits definido por RFC 4226. El uso de un secreto compartido m\\u00e1s corto que el m\\u00ednimo para generar un c\\u00f3digo de autenticaci\\u00f3n multifactor podr\\u00eda facilitar que un atacante adivine el secreto compartido y genere c\\u00f3digos TOTP v\\u00e1lidos.\"}]",
      "id": "CVE-2024-8796",
      "lastModified": "2024-09-30T14:10:38.937",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"disclosure@synopsys.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}], \"cvssMetricV31\": [{\"source\": \"disclosure@synopsys.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}]}",
      "published": "2024-09-17T18:15:05.443",
      "references": "[{\"url\": \"https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2\", \"source\": \"disclosure@synopsys.com\", \"tags\": [\"Mitigation\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "disclosure@synopsys.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"disclosure@synopsys.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-331\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-331\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8796\",\"sourceIdentifier\":\"disclosure@synopsys.com\",\"published\":\"2024-09-17T18:15:05.443\",\"lastModified\":\"2024-09-30T14:10:38.937\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Under the default configuration, Devise-Two-Factor versions \u003e= 2.2.0 \u0026 \u003c 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.\"},{\"lang\":\"es\",\"value\":\"Con la configuraci\u00f3n predeterminada, las versiones de Devise-Two-Factor \u0026gt;= 2.2.0 y \u0026lt; 6.0.0 generan secretos compartidos TOTP de 120 bits en lugar del m\u00ednimo de 128 bits definido por RFC 4226. El uso de un secreto compartido m\u00e1s corto que el m\u00ednimo para generar un c\u00f3digo de autenticaci\u00f3n multifactor podr\u00eda facilitar que un atacante adivine el secreto compartido y genere c\u00f3digos TOTP v\u00e1lidos.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@synopsys.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@synopsys.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"disclosure@synopsys.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-331\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-331\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tinfoilsecurity:devise-two-factor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"6.0.0\",\"matchCriteriaId\":\"84888909-8B85-45B8-B57C-A63ABB739A8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tinfoilsecurity:devise-two-factor:1.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A7C7CE8-1386-4FF1-81AC-8A9A251122BF\"}]}]}],\"references\":[{\"url\":\"https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2\",\"source\":\"disclosure@synopsys.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8796\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-18T14:00:40.365192Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-18T14:00:47.475Z\"}}], \"cna\": {\"title\": \"Insufficient Default OTP Shared Secret Length\", \"source\": {\"discovery\": \"USER\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Mark Adams\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Garrett Rappaport\"}], \"impacts\": [{\"capecId\": \"CAPEC-59\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-59 Session Credential Falsification through Prediction\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"devise-two-factor\", \"product\": \"devise-two-factor\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"6.0.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"1.0.0\", \"versionType\": \"custom\"}], \"packageName\": \"devise-two-factor\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\\n\\nAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Devise-Two-Factor should be upgraded to version v6.0.0 as soon as possible. After upgrading, the length of shared secrets and TOTP URLs generated by the library will increase since the new shared secrets will be longer.\u003cbr\u003e\u003cbr\u003eAfter upgrading or implementing the workaround, applications using Devise-Two-Factor may wish to migrate users to the new OTP length to provide increased protection for those accounts. Turning off OTP for users by setting otp_required_for_login to false is not recommended since it would leave accounts unprotected. However, you may wish to implement application logic that checks the length of a user\u0027s shared secret and prompts users to re-enroll in OTP.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-09-17T17:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2\", \"tags\": [\"vendor-advisory\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"If upgrading is not possible, you can override the default otp_secret_length attribute in the model when configuring two_factor_authenticable and set it to a value of at least 26 to ensure newly generated shared secrets are at least 128-bits long.\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Under the default configuration, Devise-Two-Factor versions \u003e= 2.2.0 \u0026 \u003c 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Under the default configuration, Devise-Two-Factor versions \u0026gt;= 2.2.0 \u0026amp; \u0026lt; 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-331\", \"description\": \"CWE-331 Insufficient Entropy\"}]}], \"providerMetadata\": {\"orgId\": \"8cad7728-009c-4a3d-a95e-ca62e6ff8a0b\", \"shortName\": \"SNPS\", \"dateUpdated\": \"2024-09-20T19:43:21.263Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8796\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-20T19:43:21.263Z\", \"dateReserved\": \"2024-09-13T16:52:10.095Z\", \"assignerOrgId\": \"8cad7728-009c-4a3d-a95e-ca62e6ff8a0b\", \"datePublished\": \"2024-09-17T17:12:13.468Z\", \"assignerShortName\": \"SNPS\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.