ADVISORIES

• CVE-2015-8314 (NVD)
• GHSA-746g-3gfp-hfhw
• Vendor Advisory

GEM

devise

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

• >= 3.5.4

DESCRIPTION

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.