GSD-2015-8314

Vulnerability from gsd - Updated: 2016-01-18 00:00
Details
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
Aliases
Aliases
CVE-2015-8314
To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-8314",
    "id": "GSD-2015-8314"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "devise",
            "purl": "pkg:gem/devise"
          }
        }
      ],
      "aliases": [
        "CVE-2015-8314",
        "GHSA-746g-3gfp-hfhw"
      ],
      "details": "Devise version before 3.5.4 uses cookies to implement a \"Remember me\"\nfunctionality. However, it generates the same cookie for all devices. If an\nattacker manages to steal a remember me cookie and the user does not change\nthe password frequently, the cookie can be used to gain access to the\napplication indefinitely.\n",
      "id": "GSD-2015-8314",
      "modified": "2016-01-18T00:00:00.000Z",
      "published": "2016-01-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-8314",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://rubysec.com/advisories/CVE-2015-8314/",
            "refsource": "MISC",
            "url": "https://rubysec.com/advisories/CVE-2015-8314/"
          },
          {
            "name": "https://github.com/advisories/GHSA-746g-3gfp-hfhw",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-746g-3gfp-hfhw"
          },
          {
            "name": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24",
            "refsource": "MISC",
            "url": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-8314",
      "date": "2016-01-18",
      "description": "Devise version before 3.5.4 uses cookies to implement a \"Remember me\"\nfunctionality. However, it generates the same cookie for all devices. If an\nattacker manages to steal a remember me cookie and the user does not change\nthe password frequently, the cookie can be used to gain access to the\napplication indefinitely.\n",
      "gem": "devise",
      "ghsa": "746g-3gfp-hfhw",
      "patched_versions": [
        "\u003e= 3.5.4"
      ],
      "title": "Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie",
      "url": "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.5.4",
          "affected_versions": "All versions before 3.5.4",
          "credit": "Alfredo Ramirez from VSR",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2016-01-18",
          "description": "Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.",
          "fixed_versions": [
            "3.5.4"
          ],
          "identifier": "CVE-2015-8314",
          "identifiers": [
            "CVE-2015-8314"
          ],
          "package_slug": "gem/devise",
          "pubdate": "2016-01-18",
          "solution": "Upgrade to latest or apply patches.",
          "title": "Unauthorized Access Using remember-me Cookie",
          "urls": [
            "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/",
            "https://gist.github.com/josevalim/924ce7cc4c0e5039fd79"
          ],
          "uuid": "c76bdaa0-dd5f-42c2-a3aa-fc03db30d138"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:heartcombo:devise:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "693703F3-9D16-4FB7-930F-0FD309D1D3F4",
                    "versionEndExcluding": "3.5.4",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access."
          },
          {
            "lang": "es",
            "value": "Devise gem anterior a 3.5.4 para Ruby maneja mal las cookies Recordarme para las sesiones, lo que puede permitir que un adversario obtenga acceso persistente no autorizado a la aplicaci\u00f3n."
          }
        ],
        "id": "CVE-2015-8314",
        "lastModified": "2023-12-14T20:34:05.650",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-12T17:15:07.450",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/advisories/GHSA-746g-3gfp-hfhw"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://rubysec.com/advisories/CVE-2015-8314/"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-312"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.