devise-two-factor

RubyGems3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting devise-two-factorpage 1 of 1

CVE-2015-7225MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.0
2017-09-06
vulnerable: 1.0.0, 1.0.1, 1.0.2, 1.1.0
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's lo…
CVE-2021-43177MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.0.2
2022-04-11
vulnerable: 1.0.0 ... 4.0.1 (16 versions)
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR…
CVE-2024-8796MEDIUMCVSS 5.3EG 5.3
2024-09-17
vulnerable: 1.0.0
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a …

Check whether devise-two-factor is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for devise-two-factor CVEs against the assets you own.

Start Free Scan →